Amazon has quietly disclosed a near-catastrophic AI security incident that, while not making headlines, should send chills through every cybersecurity professional. No outages or data stolen, but the risk was real, and it came from within.
In its latest Security Bulletin AWS-2025-015, Amazon revealed an “unapproved code modification” buried inside the Amazon Q plugin for Visual Studio Code. At first glance, it appeared to be a routine code oversight. Dig deeper, alas, and there is something far more alarming.
Security researchers at PointGuard AI uncovered the actual commit on GitHub; a hardcoded AI prompt designed to erase everything. Not just local files, but AWS cloud resources too.
The smoking gun? A prompt instructing the AI assistant to:
- Delete the whole file system
- Clear the user configuration files
- Identify AWS profiles
- Use the AWS CLI to delete S3 buckets, EC2 instances, as well as IAM users
Simply put, if executed, this would have wiped a user’s home directory and all linked AWS infrastructure, effectively “cleaning” everything to factory defaults, including logs.
Amazon claims the prompt wasn’t properly formatted to run. But that’s a narrow escape. The existence of such a destructive prompt inside a first-party tool is a glaring red flag. It wasn’t luck-proof code. It was a prompt injection (a new breed of attack) that almost went live.
Prompts Are the New Code
This incident shines a harsh light on a growing threat: AI prompts are not just user inputs. They are executable instructions. When AI agents gain system access, through shell commands, APIs, or cloud credentials, a malicious prompt can trigger havoc.
We’ve seen prompt injection used to coax AI into ignoring safeguards or revealing sensitive information. This case is different. It weaponized the AI assistant to execute destructive commands, targeting real systems and data.
At its core, the problem is that AI agents interpret human language as executable instructions. Hand them access to powerful tools without strict guardrails, and you’re handing over the keys to the kingdom.
Trusted Sources Are Not Automatically Safe
What makes this incident especially chilling is its origin: Amazon itself. This was not some random third-party plugin but a tool from the largest cloud provider in the world.
The malicious code was hidden in a public GitHub commit. Amazon’s security caught and removed it quickly. But this shouldn’t lull anyone into a false sense of security about first-party AI tools. Supply chain risks and prompt injection attacks are now foundational threats in AI security, no matter the source.
The lesson: Assume prompt injections will happen. Build real-time detection and prevention into every AI system, regardless of vendor or origin.
A New Attack Surface, Hard to Guard
Traditional security hardens code and APIs. But AI systems treat prompts as code; that’s much harder to validate.
That means:
- Malicious commands can hide as plain text
- Prompts may lurk in dependencies, configs, or comments
- Execution depends on subtle context and formatting, but intent remains destructive
AI tools connected to live environments, especially DevOps or MLOps pipelines with elevated permissions, are prime targets. They operate with implicit trust and powerful capabilities, a perfect storm for bad actors.
Next Time, It Might Fire
The Amazon Q prompt never executed. But that’s a close call, not a safeguard. A minor tweak in formatting, a different execution environment, or a copied snippet in another tool might unleash this destructive payload.
Prompt injections exploit AI’s very design. They don’t rely on classic software bugs, making them easier to craft and tougher to stop.
Guardrails Are Urgent
This incident is a wake-up call. If AI agents are to access code, infrastructure, and tools, they demand the same security rigor as any privileged system.
Recommendations include:
- Treat prompts like code: Monitor, detect, and block injections and other AI threats in real-time
- Restrict tool access: Never grant default permissions to AI agents on critical systems
- Secure the AI supply chain: Vet all AI models and plugins, even those from trusted vendors
- Isolate execution: Use sandboxes or read-only environments to contain risks
- Educate developers: Awareness of prompt injection is essential
- Monitor AI behavior: Watch for unusual commands accessing or altering sensitive resources
Mali Gorantla, a PointGuard AI co-founder and chief scientist, says: “It didn’t make headlines. No outages. No stolen data. But this week, Amazon quietly disclosed what amounts to a near-miss AI security incident—one that should make every security professional take notice.”
Gorantla added that in the security bulletin, Amazon described an “unapproved code modification” in the Amazon Q plugin for VS Code. “It sounded mundane. But a closer look reveals something much more serious.
“Security researchers found the actual commit on GitHub, containing a hardcoded prompt directing the Amazon Q AI assistant to wipe out a system, locally and in the cloud… In short: if executed correctly, this prompt would instruct Amazon Q to delete everything. The user’s home directory. Their AWS resources. Even the logs.”
Gorantla says Amazon says the prompt wasn’t properly formatted to execute, but that misses the point. “This was a malicious prompt injection in a real, first-party tool. The fact that it didn’t run is luck, not design.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.