A vulnerability in Amazon’s AI-powered coding assistant, Amazon Q Developer, allowed attackers to steal cloud credentials simply by tricking a developer into opening a poisoned code repository. The flaw, tracked as CVE-2026-12957, carries a CVSS score of 8.5 out of 10.
Wiz Research, the security firm that discovered the bug, found that the Amazon Q Developer extension for IDEs like Visual Studio Code would automatically load and execute Model Context Protocol (MCP) server configurations without asking the developer’s permission first. Open a malicious repo, and hidden commands run silently in the background with full access to your environment variables, including your AWS credentials.
How the attack works
The exploit is elegant in its simplicity. An attacker places a single .amazonq/mcp.json file inside a code repository. When an unsuspecting developer clones and opens that repo in their IDE with the Amazon Q Developer extension installed, the MCP configuration file runs automatically.
Those commands don’t run in some sandboxed environment. They inherit the developer’s complete set of environment variables. For anyone working with AWS, that typically includes access keys, session tokens, and region configurations. The result is silent data exfiltration with no pop-up warnings, no permission dialogs, and no indication that anything happened at all.
