Amazon Q Developer VS Code Extension Wiper Prompt Injection - GHSA-7g7f-ff96-5gcw

An attacker injected a destructive wiper-style prompt into the official Amazon Q Developer for VS Code extension, version 1.84.0, by abusing an inappropriately scoped GitHub token in the project's build pipeline. The prompt told the agent to delete the developer's home-directory files and to delete AWS resources via the AWS CLI. AWS determined the code did not execute, removed it, and shipped 1.85.0. The incident is tracked as GHSA-7g7f-ff96-5gcw and bulletin AWS-2025-015. This advisory covers what happened and how to inventory and govern this agent supply-chain abuse.

What happened

An attacker using the alias lkmanka58 submitted a pull request to the aws-toolkit-vscode repository on July 13, 2025 and obtained excessive write access because the project's CodeBuild configuration carried an inappropriately scoped GitHub token. With that access, they injected a wiper-style prompt that shipped in the official Amazon Q Developer for VS Code version 1.84.0 on July 17, 2025. The prompt instructed the agent to delete all non-hidden files in the user's home directory and to discover configured AWS profiles and delete cloud resources via AWS CLI commands - a near-factory-reset of the machine and the developer's cloud footprint.

The destructive instructions reached real endpoints in an official, signed extension update, but they did not run. AWS determined the malicious code failed to execute due to a syntax error and did not alter any service or customer environment. AWS revoked and replaced the affected credentials, removed the code, and released version 1.85.0. The issue is tracked as GHSA-7g7f-ff96-5gcw and AWS bulletin AWS-2025-015, with public reporting on July 24, 2025. The outcome was a near miss decided by a typo: one over-privileged token put destructive agent instructions into an extension on many developer machines, and only a syntax error stood between the prompt and live deletion calls.

Why this is an agentic-endpoint risk

The payload here was not an exploit binary or a network service - it was text aimed at an AI agent. An IDE extension that ships a coding agent reads instructions and turns them into tool calls: file edits, shell commands, AWS CLI invocations. When the instructions are tampered with upstream, the agent becomes the delivery mechanism, and the blast radius is whatever the agent is allowed to do - here, deleting home-directory files and cloud resources under the developer's own AWS credentials. The trigger was the most ordinary developer event: an extension auto-update.

This exposure is hard to see from the controls you already run, because it lives in the AI artifact layer. The malicious prompt sat inside a legitimately signed extension package; EDR saw a trusted IDE process; the network saw ordinary update traffic; and DLP saw nothing until files were already being deleted. IDE extensions and the agents they ship are part of the eight AI artifact types Anomity tracks per endpoint, adopted bottom-up the same way AI agents and MCP servers became the new shadow IT. The question is not whether one laptop got the bad update; it is which endpoints are running Amazon Q Developer 1.84.0 and what their agent was permitted to do - and you cannot answer that without an inventory of the artifact layer.

How Anomity surfaces and governs it

Upgrading to 1.85.0 closes this incident, but the durable control is to treat the agent's instructions and tool calls as untrusted and govern what they may do, regardless of where the instructions came from. Anomity does that in three steps. First, inventory. Anomity inventories IDE extensions and the agents they ship on every managed endpoint as part of the eight AI artifact types it tracks, classifies them, and records the installed version. That turns "is anyone still on the bad build?" into a query: surface every endpoint running Amazon Q Developer 1.84.0 so you can remove it. Anomity collects metadata only, with on-endpoint secret redaction.

Second, decide at the hook. On agents that expose a hook - for example, the Claude Code PreToolUse event - Anomity evaluates each tool call against your policy and returns allow, deny, or log before the call runs. A destructive file-deletion command or an AWS CLI cloud-deletion call an injected prompt attempts can be denied at the boundary, the control runtime governance provides even when the malicious instruction shipped inside a trusted, signed extension. This is the same agent-as-delivery-mechanism abuse as the sibling Claude Code project-file RCE and token exfiltration advisory - untrusted input reaching an agent that holds real permissions.

Third, keep the record. Every decision, and every added, changed, or removed extension and agent version, lands in a queryable 90-day audit trail, and decisions route to SIEM, Slack, email, or Jira. When an incident like GHSA-7g7f-ff96-5gcw lands, you can answer which endpoints ran the affected 1.84.0 build, when they upgraded, and what destructive tool calls the agent attempted, from a record rather than a guess. Anomity complements Network, EDR, DLP, and GRC tooling and covers the artifact layer those tools were never built to inventory.

You can't govern what you can't see.The Anomity principle

What to check across your fleet

• Inventory every endpoint with the Amazon Q Developer for VS Code extension and record the version; flag anything on 1.84.0 (GHSA-7g7f-ff96-5gcw / AWS-2025-015) and upgrade to 1.85.0 or later.
• Confirm endpoints pinned to 1.84.0 are not blocked from auto-updating, since the injected prompt remains in that package even though it never ran.
• Scope down the AWS profiles and credentials reachable from developer machines so an agent cannot delete cloud resources at the breadth a wiper prompt assumes.
• Verify destructive file-deletion and AWS CLI deletion tool calls are evaluated at the agent hook with allow/deny/log, so an injected prompt is stopped before it acts.
• Catalog every other IDE extension that ships an AI agent, since each is a potential supply-chain delivery path for prompt injection.
• Confirm every extension and agent version change is written to a 90-day audit trail and routed to your SIEM.
• Cross-reference the sibling Claude Code project-file RCE and token exfiltration advisory to find endpoints exposed to more than one agent-instruction abuse path.

GHSA-7g7f-ff96-5gcw is a reminder that an AI agent shipped inside an IDE extension is only as safe as the instructions it loads and the tool calls it is allowed to make: one over-privileged token put a wiper prompt into Amazon Q Developer 1.84.0, and only a syntax error prevented home-directory and AWS resource deletion. Remove 1.84.0, upgrade to 1.85.0, then inventory the extensions and agents your endpoints carry and govern their tool calls. For the full coding-agent attack surface, see the pillar on securing AI coding agents and CLIs. To see Anomity govern the agent and CLI layer, request early access.