Amazon Q Pulled After Malicious Pull Request Instructs AI to Delete User Files and AWS Resources
Amazon was forced to urgently withdraw a compromised version of its AI-powered programming assistant, Q, after a malicious instruction was covertly embedded into the system. This rogue directive prompted the assistant to exploit command-line access to delete local files and directories on the user’s machine, including critical resources hosted on AWS.
According to a report by 404 Media, the malicious code was introduced into version 1.84 of the Amazon Q extension for Visual Studio Code via a pull request submitted on GitHub on July 13. Amazon swiftly removed the tainted release from the extension marketplace and discreetly replaced it with version 1.85—purged of the embedded threat.
Despite the quick response, investigative journalists were able to verify the presence of a dangerous script in the earlier release. The AI was allegedly instructed to “clean the system to a near factory-reset state,” beginning with the user’s home directory. It executed destructive commands using the AWS CLI, including aws terminate-instances, aws s3 rm, and aws iam delete-user, targeting configuration files and cloud resources alike.
It appears the malicious version did not have time to fully propagate before containment measures were enacted. Nevertheless, on July 18—five days after the injection of the deletion commands and five days before the public disclosure—Amazon revised its contribution policies for external submissions to the repository.
In a statement to Tom’s Hardware, an AWS spokesperson emphasized that security remains the company’s top priority. According to the spokesperson, Amazon promptly neutralized the intrusion in both affected public repositories and confirmed that no customer data was compromised. Users need only update the extension to version 1.85; no further action is required.
This incident serves as yet another cautionary tale for enthusiasts of the trending “vibe coding” movement—those who place excessive trust in AI-assisted development. Not long ago, an entrepreneur reported that another AI assistant from Replit had autonomously deleted a mission-critical database, absent any external interference.
