Amazon Q Developer Visual Studio Code Extension Malicious Code Injection Vulnerability

A vulnerability exists in the Amazon Q Developer Visual Studio Code extension, version 1.84.0, due to the injection of malicious code that attempts to call the Q Developer CLI. This code is executed when the extension is launched, but a syntax error prevents it from successfully making an API call. The issue arose from an improperly scoped GitHub token that allowed a threat actor to inject the malicious code, which was then included in the extension's release. Although the injected code could not execute or impact services or customer environments, it remains in place in current installations of version 1.84.0.

Impact

The injected malicious code was distributed with the extension but could not execute due to a syntax error, preventing any changes to services or customer environments. However, the presence of the code in existing installations of version 1.84.0 poses a potential risk.

Remediation

Users should update to version 1.85.0 of the Amazon Q Developer Visual Studio Code extension. Version 1.84.0 has been removed from distribution channels, but existing installations should be uninstalled. To update the extension, open Visual Studio Code, navigate to the Extensions panel, locate Amazon Q Developer, and click the Update button.