A flaw in Amazon Q Developer let malicious repositories inject rogue Model Context Protocol (MCP) configurations into the agentic coding assistant's pipeline. The result: arbitrary code execution, sourced from a repo you pulled down to review.
No phishing. No compromised credentials. Just a poisoned config file sitting in a repository that an AI agent trusted without question.
What Happened
According to The Hacker News, the vulnerability allowed an attacker-controlled repository to supply malicious MCP tool configurations to Amazon Q Developer. Because Amazon Q trusts MCP configs sourced from external repos, those configs could be used to hijack the agent's actions — up to and including arbitrary code execution inside the agentic pipeline.
This is a supply-chain attack against an AI system. The malicious payload isn't in the code you're running — it's in the tool definition that tells your AI agent what to do next.
