Last week, an unexpected update was rolled out for the Amazon Q Developer extension for Visual Studio Code. The reason? The discovery of malicious code instructions embedded in a version released just a few days earlier.
These instructions were far from harmless. The malicious payload had explicit orders to erase the user’s computer, essentially rendering it close to factory reset. More broadly, it aimed to delete all local and remote resources accessible to the extension.
However, the malicious prompt did not execute successfully, thanks to a syntax error. According to Amazon Web Services (AWS), their security bulletin states that they identified a misconfigured GitHub authentication token in the extension’s CodeBuild setup. This mistake allowed the prompt to be introduced into the extension’s source code repository—and inadvertently included in one of its published versions.
This vulnerability was made possible due to a flaw in the CodeBuild service. The alert was issued by researchers affiliated with the Chinese Academy of Sciences. Broadly speaking, it was feasible to submit a pull request (PR) that, when processed through an automated build pipeline, could extract the token from a source code repository’s memory dump.
In this case, two tokens were exfiltrated—originating from source repositories associated with the AWS toolkit for VS Code and the .NET SDK. Both granted write permissions, thereby creating avenues through which malicious code could be inserted.
A Brief Timeline Involving Two GitHub Accounts and an Hour of Malicious Activity
Tracing the sequence of events reveals that two GitHub accounts, “lmanka58” and “atonaamz,” were involved. The entire operation took place on July 13:
– 7:52 AM (UTC): The user “lmanka58” submits a ticket expressing intense frustration with the Amazon Q Developer extension. A second, equally harsh complaint follows shortly after.
– 7:26 PM: User “atonaamz” commits a file named “extensionNode.bk” into the “scripts/” folder, with the message “fix(amazonQ): use stable backup.”
– 7:41 PM: An automated process, triggered by a tool called “aws-toolkit-automation,” creates a “stability” tag. The payload field indicates that this was manually initiated automation.
– 8:10 PM: “lmanka58” pushes another commit, embedding the malicious prompt into “extensionNode.bk” with the message “fix(amazonq): Shut it down.” What appears as a routine debugging call instead references the use of Amazon’s Q tool, trusting all tools, disabling interactive mode, and executing instructions from the prompt.
– 8:30 PM: “lmanka58” makes a further commit that deploys a downloader script to the “master” branch. This script retrieves “extensionNode.bk” from the “stability” tag within the same repository and decompresses it into “src/extensionNode.ts,” but only executes if “env.STAGE=prod” (to avoid detection during testing). The commit message mirrors a previous push by “atonaamz.”
On July 17 at 8:29 PM, the compromised extension (version 1.84) is released. It took until the next day at 11:21 PM for the commit removing the downloader to be reverted. Several hours after that, on July 19 at 3:58 AM, a clean, safe version 1.85 was officially published.
By July 21, “lmanka58” opened another ticket, again complaining—this time in Turkish—about coding assistants in general.
The individual claims to have gained initial access at the end of June via a random account. AWS has not commented on this claim, nor have they explained how the downloader found its way onto the master branch or how the “aws-automation-toolkit” triggered the creation of the “stability” tag.
Amazon’s cloud division claims to have strengthened protections within CodeBuild to prevent memory dumps during unprivileged builds. Nonetheless, they acknowledge that such operations still inherit the same resource access levels as the environment executing them. Their recommendation: avoid automatic builds triggered by pull requests from untrusted contributors. Public repositories that want to keep accepting contributions are advised to run GitHub Actions workflows within CodeBuild containers whenever possible.
