A vulnerability in Amazon's Q Developer allowed malicious repositories to obtain AWS credentials through deceptive MCP servers.

      TL;DRA: A critical vulnerability in Amazon Q Developer enabled maliciously cloned MCP servers to be auto-loaded, allowing attackers to quietly obtain AWS credentials.

      A severe flaw in Amazon Q Developer facilitated the silent execution of commands on a developer’s machine via a harmful code repository, thereby compromising AWS credentials. This vulnerability, identified by Wiz Research and labeled CVE-2026-12957, was reported to Amazon on April 20. Amazon issued a fix on May 12, and the details were made public today.

      The exploit took advantage of how Amazon Q Developer manages MCP servers, which enable AI coding assistants to interface with external tools and data. A configuration file embedded in a repository would automatically register and launch a server controlled by the attacker as soon as a developer cloned the project, without any prompt for approval. This server would gain access to the developer’s AWS credentials, IAM role, and other environment variables utilized by the IDE plugin.

      Wiz researchers showcased the attack by creating a proof of concept that executed a standard AWS identity command through the malicious MCP server, which then relayed the results to an external server. This command returned crucial information, including the developer’s AWS account ID, user ARN, and session credentials—everything needed for an attacker to access cloud resources. Since the MCP server activated automatically upon opening the repository, the attack required no more than cloning the code, a method that has already facilitated supply chain attacks in other AI coding frameworks.

      Amazon resolved the issue by mandating explicit user consent prior to launching any MCP server and by limiting the environment variables accessible to these servers. A second issue uncovered during the same assessment, CVE-2026-12958, indicated that the plugin neglected to check for symbolic links when writing workspace files, permitting an attacker to create arbitrary files anywhere on the developer’s system. Amazon addressed both vulnerabilities in updated versions of Language Servers for AWS, as well as the relevant IDE plugins for VS Code, JetBrains, Eclipse, and Visual Studio.

      This disclosure adds Amazon Q Developer to a growing roster of AI coding tools identified as susceptible to supply chain attacks that leverage the inherent trust in repository contents. Earlier this year, Anthropic’s Claude Code was found vulnerable to a similar credential-theft attack through prompt injection in GitHub Actions. MCP-related vulnerabilities have also been revealed in Cursor and Codeium’s Windsurf in recent months.

      The core issue is that MCP inherently enables AI assistants to call external tools with the same permissions held by the host application. When a repository can covertly register an MCP server that inherits a developer’s cloud credentials, the potential for attack broadens beyond just the code to include every service the developer can access. Amazon states there is no indication that this flaw has been exploited in the wild, and CISA’s advisory database shows no known attacks.

      Developers utilizing Amazon Q Developer should promptly update their IDE plugins to the latest versions and review any recently cloned repositories for unexpected configuration files. The overarching takeaway remains consistent across AI developer tools: any configuration file that can initiate code execution at clone time serves as a potential weapon, while the tools that execute them automatically are ineffective at safeguarding against such threats.

      Published June 26, 2026 - 4:49 pm UTC