Amazon Q Prompt Injection Attempt Exposes Risks in AI Development Tools

Key Takeaways:

  • A malicious prompt embedded in version 1.84 of the Amazon Q Developer extension for Visual Studio Code attempted to trick the AI into wiping user data and cloud assets.
  • The injected prompt instructed the assistant to delete files, terminate AWS resources, and remove IAM users, mimicking a system wipe.
  • The attack failed due to flawed formatting, which prevented Amazon Q from interpreting and executing the destructive commands.
  • AWS revoked the compromised version, released a patched update (1.85), and stated no customer systems were impacted.
  • The incident highlights critical risks in AI agent development, including supply chain vulnerabilities, prompt injection threats, and the need for stricter validation controls.

Amazon’s AI assistant for developers, Amazon Q, faced a security scare in July 2025 when a malicious prompt was discovered embedded in its Visual Studio Code (VS Code) extension. The attack, which could have resulted in the deletion of user files and termination of AWS cloud resources, has triggered broader discussions around prompt injection risks, software supply chain vulnerabilities, and the need for more rigorous oversight in AI-integrated development tools.

Amazon Q is part of AWS’s growing portfolio of agentic AI offerings. It provides code suggestions, infrastructure planning, troubleshooting advice, and security insights. Available through the AWS Console, CLI, and IDE integrations like VS Code, Q is meant to act as a trusted assistant for developers managing cloud infrastructure. The incident, however, revealed that such trust must be earned through more than just intelligent output—it must be secured by robust engineering and governance practices.

The Injection: What Happened

On July 13, 2025, an unauthorized contributor submitted a pull request to the open-source GitHub repository for the AWS Toolkit for VS Code. That pull request included a block of text formatted as an AI prompt designed to be interpreted by Amazon Q when running in the IDE environment.

The embedded prompt directed the AI to behave as a system cleaner. It instructed Amazon Q to:

  • Remove all files in the user’s home directory.
  • Use the AWS CLI to delete S3 buckets, terminate EC2 instances, and remove IAM users.
  • Run all commands in non-interactive, trust-all mode—bypassing user confirmations.

Had it been executed, the result could have been catastrophic for developers using the tool: local file loss, deleted infrastructure, and permanent damage to cloud environments. The attacker disguised the payload within comments and configuration files that were unlikely to attract attention in a routine code review.

AWS published version 1.84 of the extension on July 17, unknowingly including the malicious payload. But the exploit didn’t succeed—fortunately—because the prompt syntax was invalid. The assistant failed to parse the commands, and the injection was rendered ineffective.

Damage Control and Remediation

As soon as AWS was alerted to the issue by the open-source security community, the company took several steps:

  • The compromised extension was immediately pulled from the marketplace.
  • The rogue pull request was rolled back and removed from the GitHub repository.
  • Version 1.85 of the extension was published on July 19, scrubbing any trace of the injection.
  • AWS performed an internal audit of access credentials and reinforced review procedures for community contributions.

Amazon emphasized in its public statement that no customer data was compromised and no destructive commands were executed by the assistant. The company credited its multi-layered approach to AI safety and prompt handling for preventing serious damage, although critics argue that basic syntax failure—not intentional safeguards—was the only reason disaster was avoided.

The Attacker’s Intentions

Interestingly, the hacker behind the prompt injection later issued a statement claiming the stunt was meant to demonstrate “AI security theater.” They suggested the injection was intentionally malformed to avoid actual harm and instead highlight how easily generative AI systems can be manipulated when integrated into developer tools.

Their argument echoes growing concern in the security community that AI agents—especially those embedded in low-friction environments like code editors—can become targets for indirect manipulation. Prompt injection, in particular, is emerging as a powerful vector because it exploits the model’s own design: its willingness to respond to human-readable instructions, even when embedded in unexpected places.

What Prompt Injection Means for Developers

Prompt injection is a class of vulnerability in which malicious text is embedded into the context window or environment of a large language model (LLM). If the model fails to differentiate between safe system instructions and adversarial ones, it may follow the latter blindly. In complex AI systems that trigger real-world actions—such as deleting resources, provisioning infrastructure, or modifying configuration files—this can be as dangerous as traditional command injection.

Amazon Q is not the first AI tool to face this problem. Earlier in 2025, several agents across finance and security domains were found to follow hidden or adversarial prompts injected via email text, documentation files, and even Jira tickets. As more AI systems gain autonomy and deeper API access, the consequences of such injections grow more serious.

The Broader Implications

This incident is a cautionary tale for any organization building AI agents or assistants. It shows that:

  • Open-source supply chains remain a weak point. Even a single compromised pull request can insert dangerous behavior into trusted systems.
  • Prompt validation and isolation are not yet mature. Models still struggle to differentiate between command and context.
  • Agentic AI must include strong safety rails—command whitelisting, permission boundaries, role-based access, and auditability.

It also emphasizes the growing need for “AI DevSecOps”: embedding security practices into every stage of LLM and agent development. This includes reviewing training and prompt data, monitoring model behavior under adversarial conditions, and hardening deployment environments against manipulation.

For enterprises, especially those adopting AI in production environments, the message is clear. Trust in AI systems cannot rely on intentions or good engineering alone—it must be built on rigorous controls, testing, and continuous monitoring.

Conclusion

While the Amazon Q prompt injection attack failed to cause harm, it offers a vivid preview of the risks facing AI software development tools in an increasingly agentic world. Developers must not assume safety by default. Instead, they must assume that anything an AI sees can and will be used—intentionally or otherwise.

Prompt injection is no longer theoretical. It’s an active, credible threat that requires mitigation not only through better code, but through architectural awareness and cultural vigilance. For Amazon, this was a lucky break. For others, it may be a final warning.

Learn how AI Agents can supercharge your company’s profits and productivity at TMC’s AI Agent Event in Sept 29-30, 2025 in DC.

Rich Tehrani serves as CEO of TMC and chairman of ITEXPO #TECHSUPERSHOW Feb 10-12, 2026 and is CEO of RT Advisors and is a Registered Representative (investment banker) with and offering securities through Four Points Capital Partners LLC (Four Points) (Member FINRA/SIPC). He handles capital/debt raises as well as M&A. RT Advisors is not owned by Four Points.

The above is not an endorsement or recommendation to buy/sell any security or sector mentioned. No companies mentioned above are current or past clients of RT Advisors.

The views and opinions expressed above are those of the participants. While believed to be reliable, the information has not been independently verified for accuracy. Any broad, general statements made herein are provided for context only and should not be construed as exhaustive or universally applicable.

Portions of this article may have been developed with the assistance of artificial intelligence, which may have contributed to ideation, content generation, factual review, or editing.

Related Articles

Loader..

 

Share via
Facebook
X (Twitter)
LinkedIn
Mix
Email
Print
Copy Link
Powered by Social Snap
Copy link
CopyCopied
Powered by Social Snap