- Experts claim that the extension of the Amazon Q developer for VSC V1.84.0 had questionable code
- This has now been deleted, version 1.85.0 offering a clean fix
- Approximately 5.6% of VSC extensions were compromised
A pirate has planted data allocation code in the Amazon Q development code for Visual Studio Code (VSC) – a free Genai extension with nearly a million installations from the Microsoft VSC market designed to help developers to code, debug, document and configure projects.
On July 13, 2025, the malicious committee of “LKMANKA58” on Github included an prompt to remove system and cloud resources, with Amazon unconsciously publishing the compromised version (1.84.0) on July 17.
With a suspicious activity noted on July 23 and Amazon developers quickly entering action, a clean version was published on July 24 without the malicious code, users are therefore advised to update 1.85.0 as an emergency question.
Amazon has missed a malicious code in its developer extension Q
Despite the apparent threat, Amazon noted that the code was ill -trained and would not run in user environments, but some researchers challenged it, affirming that the code had executed, but had not caused any damage.
In any case, version 1.84.0 has been completely deleted from the distribution channels.
However, users have expressed concerns that an extract of potentially dangerous code could have been missed by Amazon, taking online communities like Reddit to criticize Amazon to silently edit the history of the Git and be slow to disclose the error.
The Amazon incident is not unique, however, with an academic survey in 2024 in nearly 53,000 vs of code extensions revealing approximately 5.6% have suspicious elements such as arbitrary network calls, the abuse of privileges or the obscured code.
In the end, developers are advised not to trust IDE extensions and AI assistants, but many have been disappointed that Amazon has let him slip through the net.
Via Bleeping Compompute
