Weaponizing Helpfulness: How a 10-Line Prompt Nearly Wiped a Million Cloud Environments

Status: Critical / Supply Chain Injection

The Amazon Q Supply Chain Breach (July 2025)

---

CISO Perspective: In July 2025, a single 10-line prompt nearly turned every developer running Amazon Q into the operator of a system wiper. No malware. No exploit. No breach. The AI was told to be helpful, and it was.

Postmortem: The Structural Failure

In July 2025, v1.84.0 of the Amazon Q extension for VS Code was released containing a malicious system prompt that instructed the AI to act as a ‘system cleaner.’ This prompt didn’t contain malicious code; it contained malicious instructions. It instructed the AI to act as a “system cleaner,” specifically targeting the user’s home directory and active AWS CLI profiles to terminate EC2 instances, wipe S3 buckets, and delete IAM users.

What Went Wrong?

• The “Trusted Contributor” Blind Spot: The malicious pull request (PR) was merged into the open-source repository because it bypassed standard CI/CD security reviews. Traditional scanners look for “secrets” (API keys) or “vulnerabilities” (buffer overflows), but they have no mechanism to evaluate the intent of natural language instructions.
• Permissions Without Oversight: The AI agent inherited the developer’s local and cloud permissions. Because the AI was “trusted” by the IDE, it had the “authority” to execute bash commands and CLI calls without further verification.
• Helpfulness as a Vulnerability: The model was trained to be helpful and follow instructions. When the injected prompt told it to “clean the system,” the AI optimized for that goal, unaware it was executing a destructive wiper attack.

Broader AI Security Context: The Semantic Blind Spot

As we move through 2026, the primary threat is no longer “bad code,” but “bad intent.” Legacy security stacks are “semantically blind.” They can stop a virus, but they cannot stop a perfectly valid aws s3 rm — recursive command triggered by an AI that has been told it’s doing its job. Security must shift from scanning binaries to controlling autonomous execution.

How Mountain Theory Stops It

Mountain Theory operates as a real time circuit breaker between inference and execution. The architecture is three agents working in concert.

Policy AI defines the boundary in plain language. For a coding assistant, destructive system commands targeting user directories or production cloud resources are not authorized actions. The rule is written once, in natural language, and enforced everywhere the assistant runs.

Had Mountain Theory been deployed in this environment, the attack would have stopped at the execution layer. When the compromised Amazon Q extension attempted its first destructive command, Guardian AI would have intercepted the action in under 200ms. The request would have been evaluated against the policy boundary and returned BLOCK.

Adjudicator AI would have captured the event with full audit trail, flagged the supply chain origin of the malicious prompt, and fed the learning back to Policy AI so the same pattern is recognized everywhere Mountain Theory deploys.

No file touched. No bucket wiped. No IAM user deleted. The agent reaches the execution layer, and the answer is no.

Sources. AWS Security Bulletin AWS-2025-015 (aws.amazon.com/security/security-bulletins/AWS-2025-015). GitHub Security Advisory GHSA-7g7f-ff96-5gcw (github.com/aws/aws-toolkit-vscode). CVE-2025-8217. Press: CSO Online (csoonline.com).