Amazon's generative AI programming assistant, Amazon Q, has recently been the target of a hacking incident. Malicious code spread through GitHub repositories and Visual Studio Code extensions, impacting nearly a million users. The hackers attempted to insert commands aimed at deleting user files and cloud resources via disguised pull requests, thereby exposing vulnerabilities in Amazon's code review process. Fortunately, the malicious code was not executed. Nonetheless, this incident has sparked profound reflection within the industry concerning the security management of open-source workflows. Experts emphasize that the root of the problem lies in the lack of robust access control and review mechanisms, rather than the open-source model itself. In response, Amazon has swiftly released a fixed version and urged users to update their systems promptly.
