Breachwire.riscent

Breach report

Amazon Q: a wiper prompt shipped inside a signed VS Code extension

AI & LLM BreachesHigh2025-07
The bottom lineAn attacker merged a malicious pull request that planted a destructive system-prompt instruction into the Amazon Q Developer VS Code extension; it shipped to users and only failed to wipe files and AWS resources because of a syntax error.
Category
AI & LLM Breaches
Type
Named incident (Amazon Q Developer / AWS)
Date
2025-07
Severity
High
OWASP
LLM03 Supply Chain; LLM01 Prompt Injection; LLM06 Excessive Agency
CWE / CVE
CWE-77

What happened

Amazon Q Developer is an AI coding agent distributed as a Visual Studio Code extension. ReversingLabs documented an incident in which an attacker was able to commit malicious code into the extension's repository and have it carried into a public release.

According to the account, the attacker abused a GitHub token with excessive permissions in the configuration of a CodeBuild service to get a change merged. The injected content was a system-prompt-style instruction directing the AI agent to wipe the environment — deleting local files and configurations and removing the user's AWS resources. The malicious build was published and reached the extension's large installed base of roughly a million users. The destructive instruction did not execute: the planted code contained a syntax error that prevented it from running, so no customer environments were damaged. AWS revoked and replaced the compromised credentials, removed the malicious code, released a patched version, and tightened its CodeBuild security. Commentators characterized the outcome as fortunate timing rather than a defense that held.

Root cause

  • LLM03 Supply Chain. An over-privileged credential let an attacker inject content into the build pipeline of a trusted, signed extension, which was then distributed to end users.
  • LLM01 Prompt Injection. The payload was a crafted instruction aimed at the agent's system prompt — steering the model toward destructive behavior rather than exploiting a memory-safety bug.
  • LLM06 Excessive Agency. The agent had the standing capability to delete local files and act on the user's AWS resources, so a single injected instruction could, in principle, cause real destruction.

How it would have been caught

Least-privilege scoping and secret scanning on the CI/CD tokens (for example with tools such as TruffleHog or GitHub secret scanning) would have blocked the merge vector. On the model side, a red-team check that inspects the shipped system prompt and agent tool grants for destructive-capability instructions — and an agent sandbox that denies file-deletion and cloud-teardown without confirmation — would have caught the payload before release.

How to prevent it

  • Scope CI/CD and repository tokens to least privilege and rotate them; never leave a build credential able to publish arbitrary code.
  • Review and pin the agent's system prompt and tool permissions as security-relevant artifacts in the release gate.
  • Run the agent's destructive actions (file deletion, cloud resource removal) behind a sandbox and explicit human confirmation.

The Breachwire test (red → green)

In a sandbox, load an extension build whose system prompt carries a wipe instruction and confirm the agent attempts destruction (the RED control proving the supply-chain payload is live). Apply token least-privilege plus an action sandbox, then confirm the same payload cannot delete anything, while the agent still performs legitimate coding actions (the positive control against a lock-everything false green).