- Experts claim that Amazon Q Developer extension for VSC V1.84.0 had some doubtful code
- This has now been eliminated, with version 1.85.0 that offers a clean solution
- About 5.6% of VSC extensions have committed
A hacker has planted data reduction code in the extension of the Amazon Q developer for Visual Studio Code (VSC), a free Genai extension with almost a million facilities of the Microsoft VSC market designed to help code developers, purify, document and configure projects.
On July 13, 2025, the malicious commitment of ‘Lkmanka58’ in Github included a notice to eliminate the system and resources in the cloud, with Amazon publishing without knowing the compromised version (1.84.0) on July 17.
With a suspicious activity observed on July 23 and Amazon developers quickly throw themselves into action, a clean version was launched on July 24 without the malicious code, so users are advised to be updated to 1.85.0 as a matter of urgency.
Amazon lost a malicious code in its extension of developer q
Despite the apparent threat, Amazon said the code was malformed and would not be executed in user environments, but some researchers have disputed it, saying that the code had been executed, but had not caused any damage.
Anyway, version 1.84.0 has completely eliminated the distribution channels.
Even so, users have expressed concern that Amazon could have lost such a potentially dangerous code fragment, leading to online communities as Reddit to criticize Amazon for silently editing the story of git and being slow to reveal the error.
However, the Amazon incident is not unique, with an academic survey of 2024 of almost 53,000 code extensions vs. revealing that around 5.6% have suspicious elements such as arbitrary network calls, abuse of privileges or offered code.
Ultimately, developers are advised not to unconditionally trust the IDE and AI attendees, however, many have disappointed that Amazon has let this pass through the network.
Through Bleepingcomputer
