AWS Took its Time Disclosing Security Flaw in AI Coding Tool

While artificial intelligence-powered coding is jet fuel for developer productivity, a string of incidents in recent months shows why customers should tread carefully in this version of the Wild West. 

In the latest worrisome development, a hacker recently found a way to upload malicious code to an Amazon Web Services’ AI coding assistant, Q Developer, that ordered the software to delete data from customers’ computers.

AWS says it has fixed the glitch, which affected a software extension that lets Q Developer work with a popular open source developer service called Visual Studio Code, and that no customers lost their data. According to 404 Media, which first reported the incident, the hacker wasn’t looking to cause havoc but wanted to see if Amazon would own up to the security issue. 

If that’s the case, AWS failed the test.

AWS didn’t issue a public advisory notifying customers of the problem until Wednesday evening Pacific time. Such an advisory is standard practice in the software industry. An earlier advisory would have given customers a chance to immediately scan their computers for signs of trouble. And AWS spokespeople have yet to explain on the record why it chose not to do so. 

The lack of communication is arguably a bigger misstep than the malicious code, said a former AWS manager.

This isn’t the first time AI coding products have faced security issues. Lovable and Replit each have experienced problems of late, as we covered here and here.