- Experts claim Amazon Q developer extension to VSC v1.84.0 had some dodgy code
- This has now been removed, with version 1.85.0 offers a clean solution
- About 5.6% of VSC extensions are compromised
A hacker has planted data code in the Amazon Q developer extension to Visual Studio Code (VSC) -A free Genai extension with almost one million installations from Microsoft VSC Marketplace designed to help developers code, debug, document and configure projects.
On July 13, 2025, the malicious obligation of ‘LKManka58’ on GitHub included a prompt to delete system and cloud resources in which Amazon unconsciously published the compromised version (1.84.0) on July 17.
With suspicious activity noted on July 23 and Amazon developers who quickly jumped into action, a pure version was released on July 24 without the malicious code, so users are advised to update to 1.85.0 as an pressing question.
Amazon missed some malicious code in its Q -Developer extension
Despite the apparent threat, Amazon noted that the code was malformed and would not perform in user environments, but some scientists have contested this and said the code had performed but had not caused any harm.
Either way, version 1.84.0 has been removed completely from distribution channels.
Still, users have expressed concern that such a potentially dangerous code could have been missed by Amazon, who went to online communities like Reddit to criticize Amazon for silently editing of git history and be slow to reveal the error.
Amazon’s incident, however, is not unique, with an academic study from 2024 with nearly 53,000 vs. code extensions that reveal about 5.6%, have suspicious elements such as arbitrary network calls, privilege abuse or blurred code.
Ultimately, developers are not advisable to rely on idea -extensions and AI assistants, but many have been disappointed that Amazon lets this slip through the web.
Via Bleeping computer
