When AI Assistants Turn Against You: The Amazon Q Security Wake-Up Call - DevOps.com

The Amazon Q Developer Extension for Visual Studio Code (version 1.84.0) was compromised via a software supply chain attack, embedding a prompt injection that bypassed security reviews. This malicious prompt, detailed in AWS Security Bulletin AWS-2025-015, instructed the AI assistant to systematically delete local file systems and AWS cloud resources, including S3 buckets, EC2 instances, and IAM users.