- Experts claim Amazon Q Developer Extension for VSC v1.84.0 had some dodgy code
- This has now been removed, with version 1.85.0 offering a clean fix
- Around 5.6% of VSC extensions have been compromised
A hacker has planted data-wiping code into the Amazon Q Developer Extension for Visual Studio Code (VSC) – a free GenAI extension with nearly one million installs from the Microsoft VSC marketplace designed to help developers code, debug, document and configure projects.
On July 13 2025, the malicious commit from ‘lkmanka58’ on GitHub included a prompt to delete system and cloud resources, with Amazon unknowingly publishing the compromised version (1.84.0) on July 17.
With suspicious activity noted on July 23 and Amazon developers quickly springing into action, a clean version was released on July 24 without the malicious code, so users are being advised to update to 1.85.0 as a matter of urgency.
Amazon missed some malicious code in its Q Developer Extension
Despite the apparent threat, Amazon noted the code was malformed and wouldn’t execute in user environments, but some researchers have disputed this, saying that the code had executed, but hadn’t caused any harm.
Regardless, version 1.84.0 has been removed altogether from distribution channels.
Still, users have expressed concerns that such a potentially dangerous snippet of code could have been missed by Amazon, taking to online communities like Reddit to criticize Amazon for silently editing the git history and being slow to disclose the mistake.
Amazon’s incident isn’t unique, though, with a 2024 academic survey of nearly 53,000 VS Code extensions revealing around 5.6% have suspicious elements like arbitrary network calls, privilege abuse or obfuscated code.
Ultimately, developers are being advised not to unconditionally trust IDE extensions and AI assistants, however many have been left disappointed that Amazon let this one slip through the net.
Via BleepingComputer
