undefined | Better HN

0 pointsshdjhdfh8mo ago0 comments

Ah, I think it might have been this, which was reverted and seems to have been pushed directly to master: https://github.com/aws/aws-toolkit-vscode/commit/678851bbe97...

0 comments

personalcompute8mo ago

I think you've got it!

- That commit's date matches the date in the 404media article (July 13th)

- The commit message is totally unrelated to the code (highly suspicious)

- The code itself downloads additional code at runtime (highly highly suspicious)

I have not yet been unable to uncover the code it downloads though. It downloaded code that was hosted in the same repo, https://github.com/aws/aws-toolkit-vscode/, just on the "stability" branch. (downloads a file called "scripts/extensionNode.bk") The "stability" branch presumably was a branch created by the attacker, and has presumably since been deleted by Amazon.

personalcompute8mo ago

Update: I've uncovered the attacker's commit to the now-deleted "stability" branch that includes the offending prompt, it's https://github.com/aws/aws-toolkit-vscode/commit/1294b38b7fa.... (Archive: https://archive.md/s9WnJ)

rusteh18mo ago

I'm not a git expert, but how was the attacker able to push the stability branch directly to the Amazon owned repo? The PR would have been to merge the modified branch to main right?

shdjhdfhOP8mo ago

My guess is that skywhopper is correct. We're only able to see the tail end of the attack, but the repo was likely compromised in some way.

wunderwuzzi238mo ago

AWS issued a post and they talk about revoking and replacing a credential.

So maybe the hacker was able to directly push?

https://aws.amazon.com/security/security-bulletins/AWS-2025-...

1 more reply

shdjhdfhOP8mo ago

Another thing to note, the AI angle on this is nonsensical. The commit could have just as easily done many other negative things to the system without AI as a layer of indirection.

dylnuge8mo ago

Neither the 404 Media article nor this one claim otherwise. I think the key "AI angle" here is this (from the 404 Media article):

> Hackers are increasingly targeting AI tools as a way to break into peoples’ systems.

There are a lot of AI tools which run with full permission to execute shell commands or similar. If the same kind of compromise happened to aws-cli, it could be equally catastrophic, but it's not clear that the attack vector the hacker used would have been viable on a repo with more scrutiny.

Corrado8mo ago

I think the AI angle for this is that it is a force multiplier. You don't have to write specific commands, you just have to prompt generic things and it will helpfully fill in all the details. This also allows you to avoid having certain keywords in the PR (ie. `rm -rf`) and possibly evade detection.

j / k navigate · click thread line to collapse

0 comments

personalcompute8mo ago

I think you've got it!

- That commit's date matches the date in the 404media article (July 13th)

- The commit message is totally unrelated to the code (highly suspicious)

- The code itself downloads additional code at runtime (highly highly suspicious)

personalcompute8mo ago

rusteh18mo ago

I'm not a git expert, but how was the attacker able to push the stability branch directly to the Amazon owned repo? The PR would have been to merge the modified branch to main right?

shdjhdfhOP8mo ago

My guess is that skywhopper is correct. We're only able to see the tail end of the attack, but the repo was likely compromised in some way.

wunderwuzzi238mo ago

AWS issued a post and they talk about revoking and replacing a credential.

So maybe the hacker was able to directly push?

https://aws.amazon.com/security/security-bulletins/AWS-2025-...

1 more reply

shdjhdfhOP8mo ago

Another thing to note, the AI angle on this is nonsensical. The commit could have just as easily done many other negative things to the system without AI as a layer of indirection.

dylnuge8mo ago

Neither the 404 Media article nor this one claim otherwise. I think the key "AI angle" here is this (from the 404 Media article):

> Hackers are increasingly targeting AI tools as a way to break into peoples’ systems.

Corrado8mo ago

j / k navigate · click thread line to collapse