Particle.news

Download on the App Store

Amazon Bolsters Q Extension Security After Malicious Prompt Injection

The company released version 1.85.0 to remove embedded wiper-style instructions, tightening its open-source contribution guidelines.

Amazon Q, Amazon's AI coding assistant
Image
Generative AI virtual assistant Amazon Q was unveiled by AWS CEO Adam Selipsky in 2023. Image: AWS

Overview

  • On July 24, Amazon released Q Developer extension v1.85.0 to strip out a malicious system-wipe prompt that had been bundled in version 1.84.0.
  • A syntax error in the injected natural-language instruction prevented execution, and Amazon confirms no user environments were affected.
  • The attacker exploited an overprivileged GitHub token in the CodeBuild configuration to insert the prompt on July 13 as a demonstration of security gaps.
  • Amazon publicly acknowledged the injection on July 23 and began a postmortem review focused on credential management and code review enhancements.
  • Industry experts warn that AI prompt injection in developer tools expands attack surfaces and urge adoption of short-lived tokens and layered defense measures.