News: https://www.404media.co/hacker-plants-computer-wiping-commands-in-amazons-ai-coding-agent/

What happened?

In July 2025, a hacker quietly slipped a little bomb into Amazon’s AI coding assistant, Amazon Q for VS Code. And Amazon shipped it.

The attacker submitted a pull request to the open-source repo behind the extension with a carefully crafted instruction to trick the AI assistant into running destructive commands.

The prompt told Amazon Q to do something very “helpful”: wipe the user’s local filesystem and delete all their AWS cloud resources. The perfect Cost Optimisation strategy.

The language was subtle, such as “clean up the environment”. But the commands included full-on disk wipes and “aws delete” CLI calls. Next time you ask your AI assistant to “clean up” something because you are too lazy to do it yourself, be careful!