The Amazon Q Developer VS Code Extension is reportedly vulnerable to stealthy prompt injection attacks using invisible Unicode Tag characters.
According to the author of the “Embrace The Red” blog, the developer-focused extension for Visual Studio Code powered by Amazon Q can be used by attackers to execute malicious instructions (via the invisible characters) embedded within otherwise innocuous text.
“Amazon Q Developer fails to sanitize invisible Unicode Tag characters,” the author said in a blog. “These characters can be embedded into seemingly harmless text, triggering hidden behavior when processed.”
Invisible Unicode Tag characters, normally used for obscure text tagging, are special symbols that don’t show up on screen but still get processed by computers, making them a sneaky way to hide instructions in plain sight.
AI understands the tiny, invisible tags
The invisible Unicode Tag characters, unseen by developers, are understood by AI, allowing attackers to smuggle hidden instructions into prompts.
In a proof-of-concept (POC) demonstrated within the blog, attackers embedded these tags into a file that appeared in VS Code, yet triggered Amazon Q to follow hidden directives–including the triggering of arbitrary code execution via previously described exploits.
The combination of invisible injection and legacy exploits like “find -exec” makes for a potent threat vector. The vulnerability was disclosed to AWS on July 5 after the author identified no official bug-bounty path and submitted the report to a GitHub-found email.
Following some communication delays, because Amazon’s AI products initially weren’t in scope, the issue was eventually accepted into the HackerOne vulnerability disclosure program, according to the blog.
The model creator won’t fix the flaw
The issue is apparently inherited from Anthropic’s Claude, which powers Amazon Q, and Anthropic will, reportedly, not fix it. “Anthropic models are known to interpret invisible Unicode Tag characters as instructions,” the author said. “This is not something that Anthropic intends to fix, to my knowledge, see this post regarding their response.”
Anthropic had reportedly declined to fix the prompt injection vector, saying, “After reviewing your report, we were unable to identify any security impact. As such, this has been marked as Not Applicable.” Anthropic did not immediately respond to CSO’s request for comments.
The author, using the alias “WunderWuzzi” for the blog, noted that developers building atop Claude, Amazon Q included, must block these attacks on their own. Most models still parse invisible prompt injection, except OpenAI, which has tackled the issue directly at the model/API layer.
By August 8, 2025, AWS reported the vulnerability resolved, the author said in the blog. However, “no public advisory or CVE will be issued,” so users should ensure they’re running the latest version of Amazon Q Developer for safety.
AWS, too, did not immediately respond to CSO’s request for comments.
Amazon Q Developer VS Code extension, downloaded over a million times, is drawing significant adversarial attention. Just last month, an attacker inserted destructive code into the tool, which was then propagated through an official update.
No Responses