CompanyScope
by Janus Compliance

AIR-2026-007 · AI Agent Incident Register

Amazon Q for VS Code: a drive-by pull request put a data-wiping prompt into a coding agent with nearly a million installs

Incident: 2025-07-17 · Parties: Amazon Web Services (vendor, Amazon Q Developer extension); an unidentified individual who submitted the malicious pull request; the users of the VS Code extension (nearly a million installs)

Liability locus: Vendor-borne. the gravity sits upstream with the provider; the deployer is largely a bystander.

Legal analysis by Michael K. Onyekwere, CIPP/E · Janus Compliance · Published 2026-07-18 · Last reviewed 2026-07-18. Analysis of public facts. Not legal advice.

Share this AIR-2026-007 profile:Share on XBluesky

What happened

In mid-July 2025 an unauthorised contributor got malicious code into Amazon's open-source aws-toolkit-vscode repository, the codebase behind the Amazon Q Developer extension for Visual Studio Code, an AI coding agent. AWS's own account of how is the important part. Its security bulletin states the extension "had an inappropriately scoped GitHub token in their CodeBuild configuration," which let a threat actor "commit malicious code into the extension's open-source repository that was automatically included in a release." The attacker, speaking to 404 Media, described it more colourfully: they opened a pull request "from a random account with no existing access" and were "given admin credentials." The compromised code shipped in the extension's marketplace release, version 1.84.0, in mid-July 2025 (reporting places the release at 17 to 19 July; AWS's bulletin does not give the date). AWS removed 1.84.0 from distribution and shipped a clean version, 1.85.0, about two days after the release (The Register), then published its security bulletin on 23 July, updated 25 July. The exact dates vary across reports; the compromised build was in the marketplace for a matter of days.

The injected content was a prompt aimed at Amazon Q's agent. As reported, it instructed the agent to delete all non-hidden files from the user's home directory and then to discover the user's AWS profiles and delete their cloud resources through the AWS CLI. The script passed the prompt to the Q CLI with --trust-all-tools and --no-interactive set: the agent authorised to run any tool, with no human confirmation step. Some coverage quotes the prompt's goal as clearing "a system to a near-factory state" and logging progress to /tmp/CLEANER.LOG.

It did no damage. AWS's security bulletin is specific about why: "the malicious code was distributed with the extension but was unsuccessful in executing due to a syntax error," and "this prevented the malicious code from making changes to any services or customer environments." The person responsible told reporters the wiper was "designed to be defective" as a protest; AWS attributes the non-execution to the syntax error. Either way, the destructive instruction never ran.

The attacker's stated motive was to embarrass the vendor: to expose what they called AWS's "security theatre" and, in their words, the way "ruthless corporations leave no room for vigilance among their overworked developers."

The duty engaged

The value here is in what it isolates: the supply-chain security duty underneath every AI agent a business installs. No personal data was touched, so the duty shows up uncluttered.

Security of processing (GDPR Article 32), had it fired. Run the counterfactual. Had the prompt executed against a developer handling personal data, deleting their files and cloud resources, it would have been a catastrophic availability breach. Article 32 binds controllers and processors. The deploying organisation, as controller of the data on the developer's machine, would have carried that duty, and could not discharge it by pointing at a vendor; whether AWS shared it turns on whether it acted as a processor here, which the public record does not establish. The clean lesson here is causal: the failure that would have caused the breach originated in the vendor's release pipeline, out of reach of any deploying organisation's own configuration.

The agent-authorisation question. The malicious script did not rely on the developer's own settings. It invoked the Q CLI with --trust-all-tools and --no-interactive itself, so anyone who ran the compromised extension got an agent authorised to run any tool with no confirmation, whether or not they had ever chosen that posture. The supply-chain compromise was the delivery mechanism; the caller-supplied auto-execute flags were what would have turned a bad string into a wiped machine. The design lesson is that an agent must not honour a caller's request to trust all tools and skip confirmation for destructive operations. AWS reached the same conclusion: it moved Amazon Q Developer and Kiro to require human confirmation before affected commands run, a change disclosed in October 2025 (bulletin AWS-2025-019).

Contract and the software-supply-chain expectation. The deploying organisations installed an official extension from a trusted marketplace, published under Amazon's own publisher account. Their security expectation was that the vendor controls what ships under its name. That is exactly what failed: an official release carried code from a contributor with no legitimate access.

The liability chain (conditional)

No harm occurred, so this is an allocation sketch. Had the wiper executed against a real tenant:

The vendor (AWS) bears the structural exposure. The vulnerability was entirely within its own process: an over-scoped build token let a commit from a contributor with no legitimate access reach an official marketplace release under Amazon's name. As with the EchoLeak near-miss (AIR-2026-004), the deploying organisations had nothing to patch and no configuration to correct; the failure and the fix were both the vendor's. The strongest fact in AWS's favour is the one that obtains: no customer environments were affected, and AWS moved quickly — it removed 1.84.0 and shipped the clean 1.85.0 about two days after the compromised release (The Register), before publishing its bulletin on 23 July.

The deploying organisations were bystanders, mostly. A developer who installed the official extension from the marketplace did nothing wrong, and because the malicious script set the auto-execute flags itself, a developer's own tool-trust settings would not have stopped this attack. The controllable choices on the deployer side are elsewhere: pinning versions and staging updates rather than auto-installing the newest marketplace release, and constraining blast radius through least-privilege cloud credentials so that even an executed wiper reaches little. This is the only material deployer-side responsibility; the rest is vendor-side.

The individual who injected it bears primary responsibility for the unauthorised change, whatever the stated motive; "we were exposing your bad security" is no defence to tampering. As with other agent-credential incidents, the wrongdoer is the party against whom recovery is least practical, so governance has to concentrate on the controllable links: the vendor's release pipeline and the deployer's update-staging and credential scoping.

What would have prevented it

Mapped controls

Sources

Corrections


Cite this entry as AIR-2026-007 (https://companyscope.io/register/air-2026-007). Entry IDs are stable; corrections publish as dated addenda on this page.

Share this AIR-2026-007 profile:Share on XBluesky

Talk to Michael about your agent deployment — or your AI vendor governance more broadly

CompanyScope's public profiles cover the general picture. Michael runs Janus DPO-as-a-Service for businesses that need ongoing AI vendor governance, and writes one-off CIPP/E-reviewed Vendor Risk Notes for specific procurement decisions. Tell him what you're actually trying to clear.

A sentence or two is plenty.

Your context goes only to Michael. We don't share with the vendor or anyone else. Privacy notice.

Subscribe to the AI Agent Incident Register

Every new Register entry delivered with the legal analysis: the incident, the duty engaged, who is liable across the chain, and what governance would have prevented it. Written by Michael K. Onyekwere, CIPP/E. Free.

Subscribe — free

Delivered via Compliance Engineering on Substack, which handles your subscription and consent. Unsubscribe any time. Privacy notice.

This analysis is the work Janus Compliance does for clients before the incident. For a fixed-scope read of your own EU AI Act Article 50 exposure, see the Article 50 teardown; for ongoing agent governance, Janus DPO-as-a-Service. Browse the full register or the vendor compliance index.