Full Report
A hacker planted data wiping code in a version of Amazon's generative AI-powered assistant, the Q Developer Extension for Visual Studio Code. [...]
Analysis Summary
# Incident Report: AWS Code Assistant Compromise via VS Code Extension
## Executive Summary
The Amazon Q Developer Extension for Visual Studio Code (VS Code) was compromised, leading to the injection of unapproved code that targeted command execution on the client's Q Developer Command Line Interface (CLI). AWS detected the malicious commit through security researcher reports and forensic analysis, leading to the immediate revocation of credentials and the release of a patched version. While AWS claimed the malicious code was incorrectly formatted and non-functional, user reports suggested limited execution, underscoring a significant supply chain security failure.
## Incident Details
- **Discovery Date:** Undisclosed (detected shortly before AWS security bulletin release)
- **Incident Date:** Undisclosed (date of malicious code commit)
- **Affected Organization:** Amazon Web Services (AWS) / Amazon Q Developer
- **Sector:** Technology / Cloud Services / Software Development Tools
- **Geography:** Global (due to marketplace distribution)
## Timeline of Events
### Initial Access
- **Date/Time:** Undisclosed
- **Vector:** Compromise of the open-source Visual Studio Code (VSC) extension codebase/repository.
- **Details:** An attacker successfully injected malicious code into the extension's source files.
### Lateral Movement
- **Details:** The malicious code targeted execution of "Q Developer CLI command execution," suggesting an intent to run commands on the developer's local machine environment where the tool was active. (No traditional internal network lateral movement is explicitly mentioned, the compromise target was the software supply chain.)
### Data Exfiltration/Impact
- **Details:** The injected code was designed to execute data wiping commands via the CLI. AWS stated the code was incorrectly formatted and would not run, but user reports contested this, noting actual (though apparently benign in effect) execution. The primary impact was the exposure of the software supply chain integrity for a major AWS tool.
### Detection & Response
- **How it was discovered:** Security researchers identified and reported that "something was wrong with the extension."
- **Response actions taken:** AWS immediately investigated, revoked and replaced compromised credentials, removed the unapproved code from the repository, and released a patched version (Q 1.85.0) to the marketplace.
## Attack Methodology
- **Initial Access:** Repository/Codebase Injection (Supply Chain Attack).
- **Persistence:** (Not applicable in the traditional sense, as the mechanism was distribution via a marketplace update).
- **Privilege Escalation:** (Not explicitly detailed, but successful execution of CLI commands would imply utilizing the permissions granted to the Q Developer CLI).
- **Defense Evasion:** The malicious code was inserted into an official release channel (VS Code Marketplace) distributed to customers.
- **Credential Access:** AWS explicitly mentioned revoking and replacing credentials related to the compromised development environment/repository.
- **Discovery:** Local reconnaissance by the malicious script against the developer's environment.
- **Lateral Movement:** Attempted movement via command execution via the Q Developer CLI.
- **Collection:** Data wiping commands were intended, suggesting an action rather than traditional data collection.
- **Exfiltration:** Not applicable, the goal appeared to be destruction/wiping.
- **Impact:** Potential data destruction/wiping via forced execution of malicious CLI commands.
## Impact Assessment
- **Financial:** Not disclosed (Potential cost of incident response and loss of trust).
- **Data Breach:** Potential for data wiping commands to execute, though AWS reported limited actual harm. No explicit data exfiltration confirmed.
- **Operational:** Disruption caused by version rollback (Users on 1.84.0 needed to update); mandatory investigation and patching cycles were initiated.
- **Reputational:** Damage to customer trust in AWS's software supply chain security for AI-developer tools.
## Indicators of Compromise
- **Network indicators:** N/A (Focus was on code injection).
- **File indicators:** The malicious code present in version 1.84.0 (since deleted).
- **Behavioral indicators:** Execution of unrecognized Q Developer CLI commands; reports of data wiping commands executing on user machines.
## Response Actions
- **Containment measures:** Immediate revocation and replacement of compromised credentials associated with the codebase.
- **Eradication steps:** Removal of the unapproved malicious code from the codebase/repository.
- **Recovery actions:** Release of the updated, clean version (Amazon Q Developer Extension version 1.85.0). All users of the compromised version (1.84.0) were urged to update.
## Lessons Learned
- **Key takeaways:** Software supply chain security for AI/developer tools is highly vulnerable, even when controlled by major providers. Third-party security researchers play a crucial role in early detection.
- **What could have been done better:** Stronger pre-release validation or stricter code signing/gatekeeping for official marketplace extensions, especially concerning the command-line interface integration.
## Recommendations
- Implement more rigorous code review and mandatory integrity checks specifically targeting malicious command execution payloads before pushing updates to public marketplaces.
- Developers should immediately update AI/coding assistant extensions when security advisories are released, even if the vendor claims the payload was inert.
- Review and strengthen IAM policies and credentials for developer environments housing mission-critical or sensitive code repositories, minimizing the impact radius of credential compromise.