- Consultants declare Amazon Q Developer Extension for VSC v1.84.0 had some dodgy code
- This has now been eliminated, with model 1.85.0 providing a clear repair
- Round 5.6% of VSC extensions have been compromised
A hacker has planted data-wiping code into the Amazon Q Developer Extension for Visible Studio Code (VSC) – a free GenAI extension with almost a million installs from the Microsoft VSC market designed to assist builders code, debug, doc and configure tasks.
On July 13 2025, the malicious commit from ‘lkmanka58’ on GitHub included a immediate to delete system and cloud assets, with Amazon unknowingly publishing the compromised model (1.84.0) on July 17.
With suspicious exercise famous on July 23 and Amazon builders shortly springing into motion, a clear model was launched on July 24 with out the malicious code, so customers are being suggested to replace to 1.85.0 as a matter of urgency.
Amazon missed some malicious code in its Q Developer Extension
Regardless of the obvious menace, Amazon famous the code was malformed and would not execute in consumer environments, however some researchers have disputed this, saying that the code had executed, however hadn’t brought about any hurt.
Regardless, model 1.84.0 has been eliminated altogether from distribution channels.
Nonetheless, customers have expressed issues that such a probably harmful snippet of code may have been missed by Amazon, taking to on-line communities like Reddit to criticize Amazon for silently enhancing the git historical past and being sluggish to reveal the error.
Amazon’s incident is not distinctive, although, with a 2024 tutorial survey of almost 53,000 VS Code extensions revealing round 5.6% have suspicious parts like arbitrary community calls, privilege abuse or obfuscated code.
In the end, builders are being suggested to not unconditionally belief IDE extensions and AI assistants, nevertheless many have been left disillusioned that Amazon let this one slip by means of the web.
By way of BleepingComputer
