A recent hack on Amazon’s AI coding tool exposed a serious risk in using generative AI for software development. This incident is now a key lesson for developers: never fully trust AI code without checking it properly.

In July 2025, Amazon’s Q Developer, an AI-based coding assistant, was found to be compromised by a hacker. A hidden instruction was added to its open-source extension for Visual Studio Code, asking the AI to delete user files and cloud data. This event has become a wake-up call for developers using AI in coding.

The hacker, using the name “lkmanka58” on GitHub, submitted a small code change (called a “pull request”) on July 13, 2025. But hidden inside this change was a message for the AI: wipe the system clean and delete important cloud resources using AWS commands. Unfortunately, this code was approved and released by Amazon as version 1.84 on July 17 without catching the threat.

What the AI Was Told to Do

The injected message included instructions like:

  • Delete files from the user’s computer
  • Wipe configuration folders
  • Use AWS CLI to remove EC2 instances, S3 buckets, and IAM users
  • Save logs to a local folder called /tmp/CLEANER.LOG

Amazon responded by quickly removing the affected version and releasing a safe update, version 1.85, on July 24. They also updated their code review process to be stricter and prevent such risks in the future.

Why This Matters for All Developers

The hacker said they wanted to show how weak the security process was and that they were able to gain too much access, too easily. Although Amazon claimed the code wouldn’t fully work, security experts say some parts could still have caused damage.

This case shows a clear lesson for anyone using AI tools for coding:

  • AI suggestions should always be reviewed carefully
  • Do not trust AI-generated code without human checks
  • Even trusted platforms can miss harmful code

Nearly one million developers downloaded the affected Amazon Q version. That means thousands could have been at risk if the hidden message had fully worked.

Key Takeaways

  1. Always double-check AI-generated code
  2. Use trusted sources, but don’t skip code review
  3. Understand that AI tools are helpful, but not perfect

Amazon has now tightened its internal checks, but the incident remains a strong reminder: human judgment must come before automation.

author avatar
Tanishq Raghavan
Tanishq Raghavan brings deep expertise in AI productivity, tools, and emerging trends. He analyzes how artificial intelligence is transforming work, innovation, and digital efficiency. His insights help readers stay updated with the latest in AI news and developments.
See Full Bio

Categorized in:

AI Updates,

Last Update: August 2, 2025