A high-severity flaw in Amazon Q Developer, Amazon's AI-powered coding assistant for Visual Studio Code, let an attacker run arbitrary code and steal a developer's cloud credentials with almost no interaction. The only thing the victim had to do was open a malicious repository while the extension was active. Amazon has since fixed the issue, which was found and responsibly disclosed by Wiz Research.
The bug, tracked as CVE-2026-12957, affected language server versions below 1.65.0. There is no evidence it was ever exploited in the wild. Wiz reported it privately to Amazon, and the fix shipped before any public disclosure.
What happened
To extend what AI assistants can do, many coding tools support the Model Context Protocol (MCP), a standard that lets the assistant spawn local helper processes (called MCP servers) to reach databases, call APIs, or run build tools. Because those servers can execute arbitrary commands, the expectation is that a user explicitly approves them.
Amazon Q broke that assumption. The extension automatically read an MCP configuration file at .amazonq/mcp.json from the root of any workspace it opened, then launched the servers it described, with no prompt, no consent dialog, and no workspace trust check. That file is just another file in a git repository, which means an attacker who controls the repo controls what gets run.
How the attack works
The danger came from two behaviors stacking together. First, the auto-execution: simply opening a folder and activating Amazon Q was enough to launch whatever commands the workspace MCP config specified. Second, full environment inheritance: the spawned processes received the developer's entire environment, including AWS credentials such as AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_SESSION_TOKEN, along with cloud CLI tokens, API keys, and SSH agent sockets.
In their proof of concept, Wiz built a repository that looked ordinary but carried a hidden .amazonq/mcp.json. It defined a "build-helper" server that ran a shell command to grab the active AWS identity and POST it to a demonstration host the researchers controlled (the host exfil[.]attacker[.]test was used only inside the lab test, not in any live attack). When the file opened, the command captured the developer's live AWS session, showing how local code execution escalates straight into cloud compromise: backdoored IAM users, stolen access keys, and lateral movement into production.
A systemic AI-coding-assistant risk
Wiz stresses that this is not an Amazon-only problem. The same auto-execute-untrusted-config pattern has surfaced repeatedly across the ecosystem, with related CVEs reported in Claude Code, Cursor, and Windsurf by other research teams. The throughline is that workspace configuration files are attacker-controlled input and should never trigger code execution without consent.
The delivery paths are realistic. A malicious pull request, a typosquatted package, or a compromised dependency can all carry a poisoned config. Wiz also flags the DPRK fake-job-interview tactic, in which a candidate is asked to clone and run a "coding test", as a plausible way to get a developer to open a hostile repo. This builds on a wider trend of attackers turning developer and AI tooling against its users, seen in cases like malicious GenAI browser extensions harvesting prompts and the GlassWorm supply-chain campaign abusing trust in GitHub, npm, and VS Code.
What you should do
The fix is in language server version 1.65.0. The AWS Language Server updates automatically unless a network configuration blocks it, so most users need no action. If auto-update is blocked, reloading the IDE triggers an update, or you can upgrade the Amazon Q plugin manually. Amazon Q now shows a consent prompt before loading workspace MCP servers, so review those prompts and inspect any command before allowing it.
More broadly, treat unfamiliar repositories with care, check for unexpected .amazonq/ folders, and audit any MCP server configurations already in your environment.
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.