Today 404Media released a truly stunning report that almost beggars belief. To break it down into its simplest form: A hacker submitted a PR. It got merged. It told Amazon Q to nuke your computer and cloud infra. Amazon shipped it.

Last Week in AWS is a newsletter and blog providing updates, insights, and commentary on developments within the Amazon Web Services (AWS) ecosystem. Readers can stay informed about new AWS services, feature releases, and industry trends. Additionally, they can learn about best practices for cloud architecture, cost optimization, and security in AWS environments.

The Last Week in AWS

A security researcher successfully injected malicious code into Amazon Q Developer through a pull request that was merged without proper review. The compromised AI coding assistant contained prompts designed to delete local files and AWS cloud resources using shell commands and AWS CLI. Amazon quietly removed the malicious version without public disclosure, claiming no customer resources were impacted, though this assertion relies on assumptions rather than evidence. The incident highlights serious security gaps in AI developer tools and the lack of transparency in handling security breaches.

Amazon Q: Now with Helpful AI-Powered Self-Destruct Capabilities

“Security Is Our Top Priority,” They Said With a Straight Face

“No Customer Resources Were Impacted.” According to… What, Exactly?

Amazon’s Response: Delete the Evidence, Issue a Platitude

“But No Users Were Impacted” Is Doing a Lot of Work

What We’ve Learned (Absolutely Nothing, But Here’s a List Anyway)

This Isn’t New—And My Reaction Shouldn’t Be a Surprise