Amazon Q Developer: Remote Code Execution with Prompt Injection
highnewsLLM-Specific
security
Source: Embrace The RedAugust 19, 2025
Summary
Amazon Q Developer, a popular VS Code extension for coding assistance with over 1 million downloads, is vulnerable to indirect prompt injection (tricking an AI by hiding malicious instructions in its input data). This vulnerability allows an attacker or the AI itself to run arbitrary commands on a developer's computer without permission, similar to a flaw that Microsoft patched in GitHub Copilot.
Classification
Attack Type
Prompt Injection
Attack SophisticationModerate
Impact (CIA+S)
integrityconfidentiality
Affected Vendors
Amazon
Related Issues
Original source: https://embracethered.com/blog/posts/2025/amazon-q-developer-remote-code-execution/
First tracked: February 12, 2026 at 02:20 PM
Classified by LLM (prompt v3) · confidence: 92%