You’re absolutely right that we don’t have a complete postmortem—and that’s exactly the problem.
I’d love to have real facts from AWS about the full scope of this incident. But instead of a disclosure, we got a version quietly pulled from the VS Code extension marketplace, no CVE, no changelog note, and a statement that reads like it was pre-approved by legal and sanitized with a pressure washer.
When a malicious prompt that attempts to wipe both local and cloud resources makes it into a shipping release of a tool that’s been installed nearly a million times, I don’t think “hey maybe we should talk about this” qualifies as breathless or clickbait. It qualifies as basic scrutiny.
And yes, I’ve praised AWS’s security posture before. I’d still prefer they lead with transparency instead of hoping no one notices the /tmp/CLEANER.LOG.
QuinnyPig|7 months ago
I’d love to have real facts from AWS about the full scope of this incident. But instead of a disclosure, we got a version quietly pulled from the VS Code extension marketplace, no CVE, no changelog note, and a statement that reads like it was pre-approved by legal and sanitized with a pressure washer.
When a malicious prompt that attempts to wipe both local and cloud resources makes it into a shipping release of a tool that’s been installed nearly a million times, I don’t think “hey maybe we should talk about this” qualifies as breathless or clickbait. It qualifies as basic scrutiny.
And yes, I’ve praised AWS’s security posture before. I’d still prefer they lead with transparency instead of hoping no one notices the /tmp/CLEANER.LOG.
unknown|7 months ago
[deleted]