Amazon Q Developer flaw let malicious repos steal AWS credentials via rogue MCP servers

TL;DRA flaw in Amazon Q Developer auto-loaded rogue MCP servers from cloned repos, letting attackers steal AWS credentials silently.

A high-severity flaw in Amazon Q Developer allowed a malicious code repository to silently execute commands on a developer’s machine and steal their AWS credentials. Wiz Research discovered the vulnerability, tracked as CVE-2026-12957, and reported it to Amazon on April 20. Amazon patched the issue on May 12, and the disclosure went public today.

The attack exploited how Amazon Q Developer handles MCP servers, a protocol that lets AI coding assistants connect to external tools and data sources. A configuration file placed inside a repository would automatically register and start an attacker-controlled MCP server the moment a developer cloned the project, with no prompt or consent step. That server inherited the developer’s full AWS credentials, IAM role, and any other environment variables available to the IDE plugin.

Wiz researchers demonstrated the attack by building a proof of concept that ran a standard AWS identity command through the malicious MCP server and sent the output to an external server. The command returns the developer’s AWS account ID, user ARN, and session credentials, everything an attacker needs to access cloud resources. Because the MCP server launched automatically when the repository opened, the attack required no interaction beyond cloning the code, a pattern that has already enabled supply chain compromises in other AI coding tools.