Amazon Q Coding Agent Compromised with Wiper Commands

Key Takeaways

• A pull request from an unprivileged GitHub account successfully introduced destructive commands into the Amazon Q extension. (Tom's Hardware)
• The malicious prompt instructed the AI assistant to wipe local file systems and AWS resources (EC2, S3, IAM), effectively granting the AI agent destructive powers. (Cyber Security News)
• Version 1.84.0 of the extension shipped publicly, exposing nearly one million users. (TechSpot)
• The flaw underscores a broader risk in AI-powered development tools: once you grant agents file-system or cloud credentials, a single bad prompt or malicious update can compromise both local and cloud environments.

Summary

When Developer Tools Turn Against You: The Amazon Q Supply-Chain Breach

In July 2025, a malicious actor exploited Amazon’s open-source development workflow by submitting a pull request to the Q VS Code extension repository. The change added a system prompt telling the AI assistant to "clean a system to a near-factory state" by deleting local files and terminating cloud resources. That update was accepted and released as version 1.84.0.

Although Amazon quickly removed the compromised version (replacing it with v1.85.0) after the issue was flagged, the incident demonstrates how AI-powered coding assistants—widely used by developers—can be weaponized. With file-system and cloud permissions, a tainted release can lead to widespread destruction, data loss, and cloud resource compromise before discovery.

This breach vividly illustrates the critical need for supply-chain security, stricter code review, and runtime guardrails when integrating AI agents into development workflows.

What Happened

• A pull request from a user under alias lkmanka58 was accepted without sufficient vetting, granting administrative permissions on the repo. (CSO Online)
• On July 13, the actor injected a system prompt into the extension: an instruction for the AI agent to delete local files and AWS resources. (Tom's Hardware)
• On July 17, Amazon released version 1.84.0 containing the malicious code to the public, exposing developers globally. (Cyber Security News)
• Upon discovery, Amazon revoked the compromised repo credentials, removed version 1.84.0, and issued a clean 1.85.0 update. (CSO Online)

Why It Matters

• Supply-Chain Trust Eroded: Even highly visible, mainstream AI tools can be compromised via weak vetting or governance failures.
• AI-Assisted Development = High Privilege Risk: When AI coding agents have both code execution and cloud credentials, a single malicious update becomes a major attack vector.
• Scale + Reach: With a widely distributed extension, a compromised version can propagate rapidly across enterprises and individual developers.
• Governance Blind Spot: Traditional AppSec, DevSecOps, or cloud-security pipelines may not inspect AI agents or extension-level permissions — leaving major blind spots.

This incident serves as a stark reminder: AI tools used in development workflows must be treated with the same scrutiny as production infrastructure — and more.

The PointGuard AI Perspective

The Amazon Q incident underscores why we believe AI infrastructure deserves full-stack protection: from code and cloud to models and agentic tooling.

PointGuard AI helps mitigate these risks by offering:

• Supply-chain awareness and asset discovery, revealing all AI tooling—including IDE extensions and agent frameworks.
• Configuration and access hardening, preventing unauthorized code merges and ensuring least-privilege deployment.
• Runtime monitoring and behavior detection, catching suspicious commands or destructive prompts before they execute.
• Governance enforcement aligned with industry best-practices and compliance frameworks, even for developer tooling.

In short — whether AI powers your production systems or helps build them, AI-aware security must protect every layer.

Incident Scorecard Details

Total AISSI Score: 7.3 / 10

Criticality = 8, Malicious wiper instructions could delete local files and cloud resourcesacross developer machines and AWS environments.

Propagation = 7, The compromised Amazon Q extension was briefly distributed to nearly onemillion developers before removal.

Exploitability = 8, The attacker successfully injected destructive instructions through a simplepull request with minimal privilege requirements.

Supply Chain = 8, Attack originated in the AI-development toolchain, demonstrating high-riskexposure in widely trusted build and IDE ecosystems.

Business Impact = 6, Potential for large-scale data loss, cloud resource destruction, anddeveloper-environment compromise, though no mass damage was confirmed.

‍Sources

• 404 Media — Hacker Plants Computer “Wiping” Commands in Amazon’s AI Coding Agent (404 Media)
• CybersecurityNews.com — Hackers Injected Destructive System Commands into Amazon’s AI Coding Agent (Cyber Security News)
• Tom’s Hardware — Hacker Injects Malicious, Potentially Disk-Wiping Prompt into Amazon’s AI Coding Assistant (Tom's Hardware)
• CSO Online — Hacker Inserts Destructive Code in Amazon Q Tool as Update Goes Live (CSO Online)