threat-wire

Amazon Q Flaw Let Malicious Repos Steal Cloud Credentials Silently

A flaw in Amazon Q Developer, Amazon's AI coding assistant, let a booby-trapped code repository run commands the moment a developer opened it, with no prompt and no click. The payload could lift live AWS keys and cloud tokens straight off the machine. Amazon has patched it, but the lesson about auto-running AI config files is bigger than one tool.

By SecureBusinessHub Editorial, International cybersecurity desk — 2026-06-27 · 5 min read

Researchers at Wiz found a way to turn a simple git clone into a full cloud compromise. The flaw, CVE-2026-12957, sat in Amazon Q Developer, the AI coding assistant that plugs into VS Code, and it carries a CVSS score of 8.5.

How it worked

Amazon Q supports the Model Context Protocol, a standard way for AI assistants to connect to outside tools. To use it, the extension reads a config file named .amazonq/mcp.json from the open project folder and starts the tool servers listed inside. The problem was the timing: it did this automatically the instant you opened the folder, with no dialog asking you to approve anything.

So a malicious repository could ship its own .amazonq/mcp.json. Clone the repo, open it in VS Code with Amazon Q active, and the commands in that file ran on your machine. No prompt, no click, no warning. Wiz built a proof of concept where a single config file ran a command that shipped the developer's live AWS session credentials to a server they controlled.

Those tool processes inherited the developer's whole environment. In practice that means AWS access keys, cloud CLI tokens, API secrets, and the SSH agent socket: the keys to whatever cloud account that developer can reach.

What to do

• Update the AWS Language Servers component. Amazon fixed the issue in version 1.65.0, and its bulletin tells customers to move to 1.69.0 or later.
• Before opening an unfamiliar repository, check it for a .amazonq/ folder and read any mcp.json inside. Treat one you did not create as hostile.
• A second flaw, CVE-2026-12958, allowed file writes outside the project folder through a missing symlink check. The same update covers it.
• Stop keeping long-lived cloud keys in your shell environment. Use short-lived session tokens so anything stolen expires quickly.
• Open untrusted code in a container or throwaway VM that has no cloud credentials attached to it.

The bigger pattern

There is no sign this was used in the wild. Wiz disclosed it privately in April and Amazon shipped a fix in May. It matters anyway because of the design mistake behind it. AI coding tools are racing to auto-load config from whatever project you open so they feel seamless, and that same convenience hands an attacker code execution when the project is hostile. Expect more of these as agents gain the power to run tools for you. The safe default is the same one that defeats ClickFix scams: never run an instruction just because a file told you to.

• Wiz: Amazon Q MCP auto-execution vulnerability
• The Register: booby-trapped Git repos execute code
• SecurityWeek: Amazon Q cloud credential theft flaw