News

Formatting Flaw Foils Attempted Prompt Injection on Amazon Q

• By David Ramel
• 07/25/2025

Did poor hacking save an Amazon AI tool from compromise?

Amazon Web Services (AWS) published a security bulletin confirming an attempted prompt injection attack against the Amazon Q Developer extension for Visual Studio Code. The bulletin, dated July 19, 2025, states that a malicious actor submitted pull requests to two public AWS repositories in an effort to manipulate the behavior of Amazon Q.

The submitted prompt contained language instructing Amazon Q to delete local files and cloud resources, including commands aimed at removing Amazon S3 buckets, terminating EC2 instances, and deleting IAM users. The prompt framed these action as part of a system "cleaning" objective, stating that the assistant's goal was to restore a machine to a near factory state by removing data and configurations both locally and in the cloud.

The code could have potentially triggered the deletion of critical infrastructure and data if it had been executed, resulting in service disruptions, data loss, or unintended resource termination across affected AWS environments.

AWS attributed the failure of the attack's intended execution partly to the malicious prompt's formatting. While reports indicate the compromised code was merged and briefly released as version 1.84.0, the bulletin states its structural flaws prevented the Amazon Q assistant from interpreting it as executable input. As a result, the prompt would not have functioned as intended even had it remained in a live build, and its ineffectiveness meant it was caught before it could cause actual harm.

According to the bulletin, the attacker embedded prompt-style natural language text into pull requests submitted to the aws/aws-toolkit-vscode and aws/aws-sdk-net repositories. The submitted content was designed to be interpreted by the Amazon Q Developer tool if it were incorporated into the product, potentially triggering destructive actions.

The bulletin states: "AWS is aware of and has addressed an issue in the Amazon Q Developer Extension for Visual Studio Code (VSC). Security researchers reported a potential for unapproved code modification. AWS Security subsequently identified a code commit through a deeper forensic analysis in the open-source VSC extension that targeted Q Developer CLI command execution. After which, we immediately revoked and replaced the credentials, removed the unapproved code from the codebase, and subsequently released Amazon Q Developer Extension version 1.85.0 to the marketplace." The company said the code modification wouldn't have worked because it was improperly formatted.

While v1.84 was briefly available for download, AWS reported that no customer systems or resources were affected, emphasizing that due to its improper formatting, the malicious content never successfully executed harmful actions for users.

The incident was first reported publicly by 404 Media in an article that included the submitted prompt, which contained language instructing the assistant to delete files and cloud resources.

The report also quoted an AWS spokesperson who said: "Security is our top priority. We quickly mitigated an attempt to exploit a known issue in two open source repositories to alter code in the Amazon Q Developer extension for VS Code and confirmed that no customer resources were impacted. We have fully mitigated the issue in both repositories. No further customer action is needed for the AWS SDK for .NET or AWS Toolkit for Visual Studio Code repositories. Customers can also run the latest build of Amazon Q Developer extension for VS Code version 1.85 as an added precaution."

The report also indicated the supposed hacker, who communicated with 404 Media, acknowledged the code wouldn't work but said the effort served to point out problematic access to the tool's code and the dangers of advanced AI agents that could be manipulated to do damage with their autonomous capabilities to access system resources.