Security Update for Amazon Q Developer Extension for Visual Studio Code (Version #1.84)
Scope: AWS
Content Type: Important (requires attention)
Publication Date: 2025/07/23 6:00 PM PDT
Updated Date: 2025/07/25 6:00 PM PDT
Description:
Amazon Q Developer for Visual Studio Code (VS Code) Extension is a development tool that integrates Amazon Q's AI-powered coding assistance directly into the VS Code integrated development environment (IDE).
AWS is aware of and has addressed an issue in the Amazon Q Developer for VS Code Extension, which is assigned to CVE-2025-8217.
In the course of our investigation of AWS-2025-016, we determined that Amazon Q Developer for VS Code Extension had an inappropriately scoped GitHub token in their CodeBuild configuration. With that access token, the threat actor was able to commit malicious code into the extension's open-source repository that was automatically included in a release. After we identified this, we immediately revoked and replaced the credentials, removed the malicious code from the code base, and subsequently released Amazon Q Developer for VS Code Extension version 1.85.0.
AWS Security has inspected the code and determined the malicious code was distributed with the extension but was unsuccessful in executing due to a syntax error. This prevented the malicious code from making changes to any services or customer environments.
We will update this bulletin if we have additional information to share.
Impacted versions:
Amazon Q Developer for Visual Studio Code Extension (version 1.84.0)
Resolution:
AWS has taken all necessary mitigation steps to secure AWS systems and has released Amazon Q Developer for VS Code Extension version 1.85.0. This includes removing 1.84.0 from distribution channels so that no further customers can install it. While the malicious code cannot execute, it is still present in existing installations of 1.84.0. As such, all installations of 1.84.0 should be removed from use and customers should update to 1.85.0, including any forked or derivative copies.
To update your Amazon Q Developer for VS Code Extension:
- Open Visual Studio Code
- Navigate to Extensions panel
- Locate Amazon Q Developer
- Click Update button
Please refer to the following hash for version 1.84.0:
- sha256:47f7840ecab6312d2733e1274c513050405886c70f2037fb2f1e9099872b0464
References:
Please email aws-security@amazon.com with any security questions or concerns.