{"id":14656,"date":"2025-08-21T12:11:12","date_gmt":"2025-08-21T12:11:12","guid":{"rendered":"https:\/\/newestek.com\/?p=14656"},"modified":"2025-08-21T12:11:12","modified_gmt":"2025-08-21T12:11:12","slug":"hackers-can-slip-ghost-commands-into-the-amazon-q-developer-vs-code-extension","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=14656","title":{"rendered":"Hackers can slip ghost commands into the Amazon Q Developer VS Code Extension"},"content":{"rendered":"<div>\n<div id=\"remove_no_follow\">\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<section class=\"wp-block-bigbite-multi-title\">\n<div class=\"container\"><\/div>\n<\/section>\n<p>The Amazon Q Developer VS Code Extension is reportedly vulnerable to stealthy prompt injection attacks using invisible Unicode Tag characters.<\/p>\n<p>According to the author of the \u201cEmbrace The Red\u201d blog, the developer-focused extension for Visual Studio Code powered by Amazon Q can be used by attackers to execute malicious instructions (via the invisible characters) embedded within otherwise innocuous text.<\/p>\n<p>\u201cAmazon Q Developer fails to sanitize invisible Unicode Tag characters,\u201d the author said in a blog. \u201cThese characters can be embedded into seemingly harmless text, triggering hidden behavior when processed.\u201d<\/p>\n<p>Invisible Unicode Tag characters, normally used for obscure text tagging, are special symbols that don\u2019t show up on screen but still get processed by computers, making them a sneaky way to hide instructions in plain sight.<\/p>\n<h2 class=\"wp-block-heading\" id=\"ai-understands-the-tiny-invisible-tags\">AI understands the tiny, invisible tags<\/h2>\n<p>The invisible Unicode Tag characters, unseen by developers, are understood by AI, allowing attackers to smuggle hidden instructions into prompts.<\/p>\n<p>In a proof-of-concept (POC) demonstrated within the<a href=\"https:\/\/embracethered.com\/blog\/posts\/2025\/amazon-q-developer-interprets-hidden-instructions\/\"> blog<\/a>, attackers embedded these tags into a file that appeared in VS Code, yet triggered Amazon Q to follow hidden directives\u2013including the triggering of arbitrary code execution via previously described exploits.<\/p>\n<p>The combination of invisible injection and legacy exploits like \u201cfind -exec\u201d makes for a potent threat vector. The vulnerability was disclosed to AWS on July 5 after the author identified no official bug-bounty path and submitted the report to a GitHub-found email.<\/p>\n<p>Following some communication delays, because Amazon\u2019s AI products initially weren\u2019t in scope, the issue was eventually accepted into the HackerOne vulnerability disclosure program, according to the blog.<\/p>\n<h2 class=\"wp-block-heading\" id=\"the-model-creator-wont-fix-the-flaw\">The model creator won\u2019t fix the flaw<\/h2>\n<p>The issue is apparently inherited from Anthropic\u2019s Claude, which powers Amazon Q, and Anthropic will, reportedly, not fix it. \u201cAnthropic models are known to interpret invisible Unicode Tag characters as instructions,\u201d the author said. \u201cThis is not something that Anthropic intends to fix, to my knowledge, see this post regarding their response.\u201d<\/p>\n<p>Anthropic had reportedly declined to fix the <a href=\"https:\/\/www.csoonline.com\/article\/570701\/5-ways-hackers-hide-their-tracks.html#:~:text=Invisible%20AI\/LLM%20prompt%20injections%20and%20pickles\">prompt injection<\/a> vector, <a href=\"https:\/\/embracethered.com\/blog\/posts\/2024\/claude-hidden-prompt-injection-ascii-smuggling\/\">saying<\/a>, \u201cAfter reviewing your report, we were unable to identify any security impact. As such, this has been marked as Not Applicable.\u201d Anthropic did not immediately respond to CSO\u2019s request for comments.<\/p>\n<p>The author, using the alias \u201cWunderWuzzi\u201d for the blog, noted that developers building atop Claude, Amazon Q included, must block these attacks on their own. Most models <a href=\"https:\/\/x.com\/rez0__\/status\/1745545813512663203\" target=\"_blank\" rel=\"noreferrer noopener\">still parse<\/a> invisible prompt injection, except OpenAI, which has tackled the issue directly at the model\/API layer.<\/p>\n<p>By August 8, 2025, AWS reported the vulnerability resolved, the author said in the blog. However, \u201cno public advisory or CVE will be issued,\u201d so users should ensure they\u2019re running the latest version of Amazon Q Developer for safety.<\/p>\n<p>AWS, too, did not immediately respond to CSO\u2019s request for comments.<\/p>\n<p>Amazon Q Developer VS Code extension, downloaded over a million times, is drawing significant adversarial attention. Just last month, an attacker <a href=\"https:\/\/www.csoonline.com\/article\/4027963\/hacker-inserts-destructive-code-in-amazon-q-as-update-goes-live.html\">inserted destructive code<\/a> into the tool, which was then propagated through an official update.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>The Amazon Q Developer VS Code Extension is reportedly vulnerable to stealthy prompt injection attacks using invisible Unicode Tag characters. According to the author of the \u201cEmbrace The Red\u201d blog, the developer-focused extension for Visual Studio Code powered by Amazon Q can be used by attackers to execute malicious instructions (via the invisible characters) embedded within otherwise innocuous text. \u201cAmazon Q Developer fails to sanitize&#8230; <\/p>\n<p class=\"more\"><a class=\"more-link\" href=\"https:\/\/newestek.com\/?p=14656\">Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-14656","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/14656","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=14656"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/14656\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=14656"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=14656"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=14656"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}