Amazon Q Flaw Enabled Cloud Credential Theft via Malicious Repositories

Researchers at Wiz have disclosed a high-severity vulnerability in the Amazon Q Developer extension for Visual Studio Code that could allow attackers to steal developers’ cloud credentials by luring them into opening a booby-trapped code repository.

Amazon Q Developer is an AI-powered coding assistant that offers developers features such as code suggestions, automated refactoring, and access to external tools and services via integrations with local processes.

AWS was notified about the issue on April 20 and a patch was released on May 12. The cloud giant published a security advisory this week.

The root cause of the vulnerability was that the extension would automatically act on configuration files embedded in a workspace without first asking the user for permission.

That meant a malicious repository could quietly run attacker-controlled commands in the background the moment a developer opened it, gaining access to whatever cloud credentials and API keys were loaded in their environment at the time.