Impact
Amazon Q Developer for Visual Studio Code (VS Code) Extension is a development tool that integrates Amazon Q's AI-powered coding assistance directly into the VS Code integrated development environment (IDE).
AWS is aware of and has addressed an issue in the Amazon Q Developer for VS Code Extension, which is assigned to CVE-2025-8217.
In the course of our investigation of AWS-2025-016, we determined that Amazon Q Developer for VS Code Extension had an inappropriately scoped GitHub token in their CodeBuild configuration. With that access token, the threat actor was able to commit malicious code into the extension's open-source repository that was automatically included in a release. After we identified this, we immediately revoked and replaced the credentials, removed the malicious code from the code base, and subsequently released Amazon Q Developer for VS Code Extension version 1.85.0.
AWS Security has inspected the code and determined the malicious code was distributed with the extension but was unsuccessful in executing due to a syntax error. This prevented the malicious code from making changes to any services or customer environments.
Impacted version:
Amazon Q Developer for Visual Studio Code Extension (version 1.84.0)
Patches
AWS has taken all necessary mitigation steps to secure AWS systems and has released Amazon Q Developer Extension version 1.85.0. This includes removing 1.84.0 from distribution channels so that no further customers can install it. While the malicious code cannot execute, it is still present in existing installations of 1.84.0. As such, all installations of 1.84.0 should be removed from use and customers should update to 1.85.0, including any forked or derivative copies.
To update your Amazon Q Developer for VS Code Extension:
- Open Visual Studio Code
- Navigate to Extensions panel
- Locate Amazon Q Developer
- Click Update button
Please refer to the following hash for version 1.84.0:
sha256:47f7840ecab6312d2733e1274c513050405886c70f2037fb2f1e9099872b0464
Workarounds
None
References
If you have any questions or comments about this advisory, we ask that you contact AWS/Amazon Security via our vulnerability reporting page or directly via email to [email protected]. Please do not create a public GitHub issue.
Impact
Amazon Q Developer for Visual Studio Code (VS Code) Extension is a development tool that integrates Amazon Q's AI-powered coding assistance directly into the VS Code integrated development environment (IDE).
AWS is aware of and has addressed an issue in the Amazon Q Developer for VS Code Extension, which is assigned to CVE-2025-8217.
In the course of our investigation of AWS-2025-016, we determined that Amazon Q Developer for VS Code Extension had an inappropriately scoped GitHub token in their CodeBuild configuration. With that access token, the threat actor was able to commit malicious code into the extension's open-source repository that was automatically included in a release. After we identified this, we immediately revoked and replaced the credentials, removed the malicious code from the code base, and subsequently released Amazon Q Developer for VS Code Extension version 1.85.0.
AWS Security has inspected the code and determined the malicious code was distributed with the extension but was unsuccessful in executing due to a syntax error. This prevented the malicious code from making changes to any services or customer environments.
Impacted version:
Amazon Q Developer for Visual Studio Code Extension (version 1.84.0)
Patches
AWS has taken all necessary mitigation steps to secure AWS systems and has released Amazon Q Developer Extension version 1.85.0. This includes removing 1.84.0 from distribution channels so that no further customers can install it. While the malicious code cannot execute, it is still present in existing installations of 1.84.0. As such, all installations of 1.84.0 should be removed from use and customers should update to 1.85.0, including any forked or derivative copies.
To update your Amazon Q Developer for VS Code Extension:
Please refer to the following hash for version 1.84.0:
sha256:47f7840ecab6312d2733e1274c513050405886c70f2037fb2f1e9099872b0464
Workarounds
None
References
If you have any questions or comments about this advisory, we ask that you contact AWS/Amazon Security via our vulnerability reporting page or directly via email to [email protected]. Please do not create a public GitHub issue.