- Specialists declare Amazon Q Developer Extension for VSC v1.84.0 had some dodgy code
- This has now been eliminated, with model 1.85.0 providing a clear repair
- Round 5.6% of VSC extensions have been compromised
A hacker has planted data-wiping code into the Amazon Q Developer Extension for Visible Studio Code (VSC) – a free GenAI extension with practically a million installs from the Microsoft VSC market designed to assist builders code, debug, doc and configure tasks.
On July 13 2025, the malicious commit from ‘lkmanka58’ on GitHub included a immediate to delete system and cloud assets, with Amazon unknowingly publishing the compromised model (1.84.0) on July 17.
With suspicious exercise famous on July 23 and Amazon builders rapidly springing into motion, a clear model was launched on July 24 with out the malicious code, so customers are being suggested to replace to 1.85.0 as a matter of urgency.
You might like
Amazon missed some malicious code in its Q Developer Extension
Regardless of the obvious risk, Amazon famous the code was malformed and would not execute in consumer environments, however some researchers have disputed this, saying that the code had executed, however hadn’t brought on any hurt.
Regardless, model 1.84.0 has been eliminated altogether from distribution channels.
Nonetheless, customers have expressed issues that such a probably harmful snippet of code may have been missed by Amazon, taking to on-line communities like Reddit to criticize Amazon for silently enhancing the git historical past and being gradual to reveal the error.
Amazon’s incident is not distinctive, although, with a 2024 educational survey of practically 53,000 VS Code extensions revealing round 5.6% have suspicious components like arbitrary community calls, privilege abuse or obfuscated code.
Finally, builders are being suggested to not unconditionally belief IDE extensions and AI assistants, nonetheless many have been left upset that Amazon let this one slip by means of the web.
Through BleepingComputer
