Cloud Credential Theft Exploit Highlights Growing Risk in AI Infrastructure
A high-severity security vulnerability in Amazon Web Services’ (AWS) developer extension for Visual Studio Code has been fixed, but not before researchers demonstrated how attackers could execute arbitrary code and steal cloud credentials by exploiting a weakness in Model Context Protocol (MCP) servers. This flaw showcases the growing risk associated with MCP vulnerabilities, which are emerging as a weak link in organizational artificial intelligence infrastructure.
The bug, tracked as CVE-2026-12957, was discovered by researchers from Wiz Research and stemmed from Amazon Q’s handling of MCP servers. By default, these servers automatically loaded and executed configurations from workspace files without requiring user approval. This allowed an attacker to access sensitive secrets available in the developer’s session, including AWS credentials, API keys, SSH agent sockets, and more. “Combined with full environment inheritance, this enabled immediate code execution,” observed Maor Dokhanian, threat researcher at Wiz.
The vulnerability affects developers using Amazon Q Developer extension for Visual Studio Code, as well as other integrated development environments (IDEs) such as JetBrains, Eclipse, and Visual Studio. While AWS has since remediated the issue with an update to Language Server version 1.65.0, this incident highlights a broader pattern affecting AI coding tools in MCP ecosystems. Similar issues have been independently discovered by OX Security and Check Point, showcasing the complexity of MCP vulnerabilities.
MCP servers serve as a critical component in linking AI agents with other enterprise systems, making them an attractive target for attackers. Experts note that MCP issues present risks that cannot be addressed immediately via patching or configuration changes due to their architectural level. In this case, the vulnerability affects the development environment, which can extend into numerous cloud assets and even the supply chain due to the permissions developers have.
An attacker could exploit this flaw by creating a malicious developer repository that would gain access to cloud credentials based on Amazon Q’s inherent behavior regarding MCP servers. This is a realistic threat model that aligns with techniques already used against enterprise environments, where developers regularly interact with third-party code, creating multiple opportunities for attackers to deliver a malicious repository.
The attack scenario begins when a developer clones either a malicious or typosquatted package and then opens the folder in VS Code with Amazon Q installed. The execution of malicious configurations occurs silently when the repository is opened and the extension initializes, without prompting for consent. “When the victim activates Amazon Q, the extension loads and executes the malicious MCP configuration — without prompting for consent,” Dokhanian explained.
This incident serves as a reminder that developers must be vigilant in their interactions with third-party code, avoiding social engineering tactics, fake job interviews, malicious pull requests, typosquatting, or compromised dependencies. To mitigate this risk, developers should keep their Language Server version up to date and exercise caution when interacting with unfamiliar repositories.
Source: Dark Reading — 2026-06-29