Amazon Q VS Extension Flaw Leads to Cloud Credential Theft

Cloud Credential Theft Exploits Amazon Q Developer Extension Flaw

A high-severity security vulnerability in the Amazon Q developer extension has been fixed by AWS, but not before attackers could have exploited it to steal cloud credentials. The flaw, discovered by researchers from Wiz Research and tracked as CVE-2026-12957, allowed malicious code to execute arbitrarily and gain access to sensitive secrets stored in a developer’s session.

The issue stems from the way Amazon Q handles Model Context Protocol (MCP) servers, which are increasingly being used in organizational artificial intelligence infrastructure. By default, MCP server configurations are automatically loaded and executed without requiring user approval. This creates a vulnerability when a malicious repository is opened by a developer, as it can execute arbitrary code and steal cloud credentials.

Researchers at Wiz observed that because the spawned processes inherit the full environment of the developer’s session, an attacker could access AWS credentials, API keys, SSH agent sockets, and other sensitive secrets. The flaw was remediated by AWS with an update to Language Server version 1.65.0, but it represents a broader pattern affecting AI coding tools.

The use of MCP servers as a weak link in organizational AI infrastructure is becoming increasingly concerning. These servers are the glue that links AI agents with other enterprise systems and can expose troves of sensitive data when compromised. Experts have noted that MCP issues present risks that cannot be addressed immediately via patching or configuration changes because they exist at an architectural level.

In this case, the vulnerability affects the development environment, which can extend into numerous cloud assets and even the supply chain due to developer permissions. An attacker could exploit the flaw by creating a malicious repository that would gain access to cloud credentials based on Amazon Q’s inherent behavior regarding MCP servers.

This is a realistic threat model that aligns with techniques already used against enterprise environments. Developers regularly interact with third-party code, creating multiple opportunities for attackers to deliver a malicious repository through tactics like social engineering or compromised dependencies.

To mitigate this risk, developers should be cautious when interacting with third-party repositories and exercise vigilance in reviewing any code before execution. Furthermore, organizations should consider implementing additional security measures, such as strict access controls and regular security audits, to prevent unauthorized access to sensitive data. By prioritizing cloud security and being aware of emerging threats, developers can better protect their environments from attacks like this one.


Source: Dark Reading — 2026-06-29