Amazon Q Developer vulnerability allows silent AWS credential theft via malicious repos

Amazon patched a high-severity vulnerability in its Amazon Q Developer AI coding assistant on May 12 after researchers at Wiz showed that cloning a malicious Git repository could silently steal a developer's full AWS credentials. The flaw, tracked as CVE-2026-12957, required no user interaction beyond opening the cloned project.

Wiz Research reported the issue to Amazon on April 20. The attack exploited how Amazon Q Developer handles MCP servers, a protocol that allows AI coding assistants to connect to external tools and data sources. A configuration file placed inside a repository would automatically register and start an attacker-controlled MCP server the moment a developer cloned the project. No consent prompt appeared. That server inherited the developer's full AWS credentials, IAM role, and any other environment variables available to the IDE plugin.

How the attack worked and what it exposed

Wiz researchers built a proof of concept that ran a standard AWS identity command through the malicious MCP server and sent the output to an external server. The command returns the developer's AWS account ID, user ARN, and session credentials, everything needed to access cloud resources. Because the MCP server launched automatically when the repository opened, the attack required no interaction beyond cloning the code, a pattern that has already enabled supply chain compromises in other AI coding tools.

• Amazon fixed CVE-2026-12957 by requiring explicit user approval before any MCP server can start.
• A second flaw, CVE-2026-12958, showed the plugin failed to check for symbolic links when writing workspace files, allowing arbitrary file writes.
• Amazon patched both issues in updated versions of Language Servers for AWS and corresponding IDE plugins for VS Code, JetBrains, Eclipse, and Visual Studio.
• Amazon says there is no evidence the flaw was exploited in the wild.

Broader pattern across AI coding tools

The disclosure adds Amazon Q Developer to a growing list of AI coding tools found vulnerable to supply chain attacks that exploit the trust these tools place in repository contents. Anthropic's Claude Code was found vulnerable to a similar credential-theft attack through prompt injection in GitHub Actions earlier this year. Cursor and Codeium's Windsurf have also disclosed MCP-related vulnerabilities in recent months. The underlying problem is that MCP, by design, gives AI assistants the ability to call external tools with whatever permissions the host application holds. When a repository can silently register an MCP server that inherits a developer's cloud credentials, the attack surface expands from the code itself to every service the developer can access.

Developers using Amazon Q Developer should update their IDE plugins to the latest available versions immediately and audit any repositories they have recently cloned for unexpected configuration files. CISA's advisory database lists no known attacks, but the vulnerability highlights a persistent risk in AI developer tooling: any configuration file that can trigger code execution at clone time is a weapon, and the tools that auto-execute it are the ones holding the safety off.