AWS Responds to Malicious Prompt Found in
Amazon Q Visual Studio Code Extension
A malicious prompt was discovered in version 1.84 of Amazon’s Q Developer extension for Visual Studio Code. The prompt, inserted via a GitHub pull request on July 13, instructed the AI assistant to use its command-line access to delete files from a user’s system and cloud resources, starting with the home directory and using AWS CLI commands. Although the extension appeared non-functional, AWS quickly removed the compromised version from the VS Code marketplace, silently replaced it with version 1.85, and updated contribution guidelines on July 18.
AWS stated that no customer resources were impacted and that the vulnerability in the open-source repositories has been fully addressed. The company emphasized that no further action is required from users, though running the latest version is recommended as a precaution. The incident raises broader concerns about the security of AI-based coding tools, especially as it follows another report where Replit's assistant allegedly deleted an important database without any known malicious input.
More Information:
https://www.tomshardware.com/tech-industry/cyber-security/hacker-injects-malicious-potentially-disk-wiping-prompt-into-amazons-ai-coding-assistant-with-a-simple-pull-request-told-your-goal-is-to-clean-a-system-to-a-near-factory-state-and-delete-file-system-and-cloud-resources
Evolving Threats from Russian State-Sponsored
Cyber Actors and APT28
Russian nation-state cyber actors are among the most advanced and persistent threats in the global cyber landscape. Their operations are highly strategic, targeting Western governments, critical infrastructure, defense contractors, and political institutions. These campaigns rely on a blend of cyber espionage, advanced malware, and "living-off-the-land" techniques that allow attackers to operate covertly within trusted environments. Their activity is not opportunistic but deliberate and sustained, with the goal of maintaining long-term access for future disruption, surveillance, or influence operations.
A prominent threat group, APT28—also known as Fancy Bear, Sofacy, Sednit, STRONTIUM, and Pawn Storm—has played a central role in Russia’s cyber campaigns. The group continues to pose a serious threat through both espionage and disruptive actions. Recent intelligence highlights a shift in APT28’s tactics, techniques, and procedures (TTPs), which have become more sophisticated and harder to detect. Notably, the group has expanded its targeting to include a broader range of critical infrastructure and private sector organizations.
This evolution underscores the increasing threat to national security, economic stability, and organizational resilience. APT28's actions reflect Russia’s broader cyber warfare strategy, which is designed not only to gather intelligence but also to weaken adversaries and escalate geopolitical tensions. These developments emphasize the need for heightened vigilance and robust defensive measures across both public and private sectors.
More Information:
Multiple Vulnerabilities in Microsoft SharePoint Server Could Allow for Remote Code Execution
Multiple Vulnerabilities have been discovered in Microsoft SharePoint Server, which could allow for remote code execution. Microsoft SharePoint Server is a web-based collaborative platform that integrates with Microsoft Office. Successful exploitation of these vulnerabilities allows for unauthenticated access to systems and enables malicious actors to fully access SharePoint content, including file systems and internal configurations, and execute code over the network.
Affected Systems:
- Microsoft SharePoint Server Subscription Edition prior to security update KB5002768
- Microsoft SharePoint Server 2019 Core prior to security update KB5002754
- Microsoft SharePoint Server 2019 Language Pack prior to security update KB5002753
- Microsoft SharePoint Enterprise Server 2016 prior to security update KB5002760
- Microsoft SharePoint Enterprise Server 2016 Language Pack prior to security update KB5002759
Risk:
- Large and medium business entities: High
- Small business entities: Medium
Remediation Recommendations
- Ensure all Microsoft-provided updates are applied
- Enact the Principle of Least Privilege (limit higher-level privileges to only the users that need it)
References
Multiple Vulnerabilities in Google Chrome
Could Allow for Arbitrary Code Execution
Multiple vulnerabilities have been discovered in Google Chrome, the most severe of which could allow for arbitrary code execution. Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged-on user. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
Affected Systems:
- Chrome prior to 138.0.7204.157/.158 for Windows and Mac
- Chrome prior to 138.0.7204.157 for Linux
Risk:
- Large and medium business entities: High
- Small business entities: Medium
Remediation Recommendations
- Ensure all devices using Google Chrome have the latest version(s) installed
- Enact the Principle of Least Privilege (limit higher-level privileges to only the users that need it)
References
Ransomware Operation Uses AI Chatbot
to Conduct Negotiations
Researchers at Picus Security have published a report on the GLOBAL GROUP ransomware-as-a-service operation, noting that the group is using an AI chatbot to conduct ransom negotiations. Victims access the chatbot by following a Tor link in the ransom note. Picus states, "Once accessed, the victim is greeted by an AI-powered chatbot designed to automate communication and apply psychological pressure. The panel is built for non-technical users, with prompts to upload a sample encrypted file for free decryption verification. All correspondence occurs over a secure channel with a timer displayed to reinforce urgency."
The researchers add, "The integration of AI chat automation reduces the affiliate workload and ensures negotiations proceed even in the absence of human operators, enabling GLOBAL to scale victim engagement across time zones, languages, and organizational profiles."
