top | item 44664011

(no title)

I think you've got it!

- That commit's date matches the date in the 404media article (July 13th)

- The commit message is totally unrelated to the code (highly suspicious)

- The code itself downloads additional code at runtime (highly highly suspicious)

I have not yet been unable to uncover the code it downloads though. It downloaded code that was hosted in the same repo, https://github.com/aws/aws-toolkit-vscode/, just on the "stability" branch. (downloads a file called "scripts/extensionNode.bk") The "stability" branch presumably was a branch created by the attacker, and has presumably since been deleted by Amazon.

discuss

personalcompute|7 months ago

Update: I've uncovered the attacker's commit to the now-deleted "stability" branch that includes the offending prompt, it's https://github.com/aws/aws-toolkit-vscode/commit/1294b38b7fa.... (Archive: https://archive.md/s9WnJ)

rusteh1|7 months ago

I'm not a git expert, but how was the attacker able to push the stability branch directly to the Amazon owned repo? The PR would have been to merge the modified branch to main right?

shdjhdfh|7 months ago

My guess is that skywhopper is correct. We're only able to see the tail end of the attack, but the repo was likely compromised in some way.

wunderwuzzi23|7 months ago

AWS issued a post and they talk about revoking and replacing a credential.

So maybe the hacker was able to directly push?

https://aws.amazon.com/security/security-bulletins/AWS-2025-...