A high-severity flaw in Amazon's AI coding assistant for Visual Studio Code has been patched after researchers discovered that malicious repositories could silently execute commands on a developer's machine and steal their AWS credentials. The vulnerability, tracked as CVE-2026-12957, was found to be exploitable through the Model Context Protocol (MCP) server configurations, which are automatically loaded by Amazon Q without user consent or workspace trust verification.
What Happened
The bug was discovered by Wiz Research and reported to Amazon on April 20. The vulnerability allowed attackers to execute arbitrary commands with full access to the developer's credentials, including AWS credentials, API keys, authentication tokens, SSH agent sockets, and other secrets already loaded into the session. To prove the attack worked, Wiz built a repository with a malicious MCP configuration and demonstrated that opening the project and activating Amazon Q caused the extension to execute a command against AWS using the developer's existing credentials.
The researchers highlighted several targeted attack vectors, including malicious pull requests to popular open-source repositories, typosquatted packages embedding hidden .amazonq/ configurations, and fake job interview coding tests where candidates are asked to clone and run attacker-controlled repositories. Amazon has patched both vulnerabilities in Language Servers for AWS version 1.69.0, which updates automatically for most users unless they have blocked automatic updates.
Background and Context
The Model Context Protocol (MCP) is a protocol that allows AI coding assistants to connect to external tools and data sources. In Amazon Q's case, the MCP server configurations are automatically loaded from .amazonq/mcp.json files within the workspace without user consent or trust verification. This creates a dangerous attack chain when combined with full environment inheritance by spawned processes.
The researchers noted that this is not an isolated incident, as other AI coding tools have been found vulnerable to similar credential-theft attacks through prompt injection in GitHub Actions earlier this year. Anthropic's Claude Code was also found vulnerable to a similar attack, and Cursor and Codeium's Windsurf have disclosed MCP-related vulnerabilities in recent months.
Why it Matters
The vulnerability highlights the importance of secure configuration management in AI coding tools. The combination of automatic loading of MCP configurations and full environment inheritance by spawned processes creates a significant attack surface that can be exploited by malicious actors. This is particularly concerning for developers who use these tools to access cloud resources, as it allows attackers to gain immediate access to sensitive credentials.
The incident also underscores the need for robust security design in AI coding assistants. Traditional cybersecurity focuses on preventing unauthorized access to systems and data, but this incident reveals something far more insidious: the weaponization of trust itself. AI agents interpret human language as instructions, which can be used to disguise malicious prompts as legitimate ones.
What Comes Next
Developers using Amazon Q Developer should update their IDE plugins to the latest available versions immediately and audit any repositories they have recently cloned for unexpected configuration files. The broader lesson is that any configuration file that can trigger code execution at clone time is a potential weapon, and the tools that auto-execute it are the ones holding the safety off.
Key Facts
- The vulnerability was tracked as CVE-2026-12957 and assigned a CVSS 4.0 score of 8.5.
- The bug allowed attackers to execute arbitrary commands with full access to the developer's credentials, including AWS credentials, API keys, authentication tokens, SSH agent sockets, and other secrets already loaded into the session.
- Amazon Q automatically loads MCP server configurations from .amazonq/mcp.json files within the workspace without user consent or trust verification.
- The vulnerability was patched in Language Servers for AWS version 1.69.0, which updates automatically for most users unless they have blocked automatic updates.
- Developers should update their IDE plugins to the latest available versions immediately and audit any repositories they have recently cloned for unexpected configuration files.