theregister.com
Amazon’s official Q extension for VS Code was hijacked in the wild: a bad actor slipped in a script that downloaded an AI prompt ordering the tool to wipe your home directory and nuke all AWS resources. The poisoned version (1.84) went live on the Marketplace for two days before being quietly yanked and “fixed” in 1.85, with AWS claiming no end users were harmed.
The culprit bragged it was more prank than payload—an exposé of AWS’s “security theater”—after breeze-through code review gave them admin creds on a random GitHub account. The fiasco highlights how overreliance on AI checks (and underpowered human oversight) in popular tooling can blow up spectacularly.
Top comments (0)