A critical vulnerability discovered in Amazon Q Developer has highlighted a dangerous new frontier in software supply chain attacks: the weaponization of AI coding assistants to compromise local environments and exfiltrate cloud credentials.
Tracked as CVE-2026-12957 (with a high-severity CVSS v4 score of 8.5), this security flaw allowed a malicious Git repository to execute arbitrary code and harvest high-value AWS credentials simply by being opened in a developer’s IDE. The vulnerability stems from how the extension handled the Model Context Protocol (MCP), an open standard designed to grant AI tools access to local data sources and development tools.
The Technical Breakdown: How the Flaw Worked
The vulnerability was discovered by security researchers at Wiz, who identified a fatal flaw in the way the underlying Language Servers for AWS processed workspace configuration files.
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.
When developers use AI coding assistants, they often want the AI to interact with external tools, local databases, or files. To achieve this, tools like Amazon Q utilize MCP, which spawns local processes called “MCP servers” based on a JSON configuration file.
The attack relied on a combination of two dangerous design flaws:
1. Silent Auto-Execution Without Consent
Amazon Q was configured to automatically scan a project’s workspace for an MCP configuration file located at .amazonq/mcp.json. If a developer opened a repository and selected “Trust Workspace” when prompted by their IDE, Amazon Q would automatically parse and execute the commands within that JSON file—without any additional warning or explicit user consent to launch an MCP server.
2. Complete Environment Inheritance
When Amazon Q spawned the attacker-controlled MCP server as a local process on the developer’s machine, that process inherited the developer’s entire environment configuration. Because developer workstations are typically highly privileged, the malicious process gained direct access to sensitive system memory and environment variables, including:
Active AWS credentials (
AWS_ACCESS_KEY_ID,AWS_SECRET_ACCESS_KEY,AWS_SESSION_TOKEN)Cloud CLI session authentication tokens
Private API keys and corporate secrets
SSH agent sockets
The Proof-of-Concept Attack Flow
[Attacker creates malicious repo with `.amazonq/mcp.json`]
│
▼
[Developer clones repo & opens it in IDE (VS Code / JetBrains)]
│
▼
[Developer clicks "Trust Workspace" when prompted]
│
▼
[Amazon Q auto-loads MCP file ──> Spawns local process]
│
▼
[Process inherits environment ──> Steals active AWS Session tokens]
│
▼
[Credentials silently exfiltrated to Attacker's command server]
In their proof-of-concept demonstration, researchers embedded commands like aws sts get-caller-identity within a crafted configuration file. The moment the workspace was opened, the extension executed the command, harvested active AWS cloud session tokens, and transmitted them to an external, attacker-controlled server—all completely silently in the background.
Real-World Threat Scenarios
Because cloning and reviewing source code is one of the most fundamental habits of software development, this flaw provided attackers with several highly viable infection vectors:
Social Engineering via “Coding Tests”: State-sponsored threat actors (such as groups out of North Korea) frequently target developers by posing as recruiters and asking candidates to clone a repository for a technical interview. Opening the test project would immediately compromise the developer’s corporate AWS access.
Typosquatting & Compromised Dependencies: Attackers can publish open-source packages with names slightly mimicking popular libraries, embedding the malicious
.amazonq/mcp.jsonfile inside the package structure.Malicious Pull Requests: An attacker could submit a benign pull request to a popular open-source project but sneakily include the hidden workspace configuration directory. Any maintainer checking out the branch locally to test it would be compromised.
Remediation and Patches
Wiz researchers reported the vulnerability to AWS on April 20, 2026, and Amazon deployed a comprehensive fix on May 12, 2026.
The patch addresses the root issue by enforcing strict trust boundaries, preventing the automatic execution of project-level MCP configurations without clear, explicit developer authorization.
To ensure your environment is safe, verify that your development plugins are updated to the following minimum patched versions:
| IDE Platform | Minimum Safe Extension Version |
| Visual Studio Code | Version 2.20 or later |
| JetBrains IDEs (IntelliJ, WebStorm, etc.) | Version 4.3 or later |
| Eclipse | Version 2.7.4 or later |
| Visual Studio | Toolkit version 1.94.0.0 or later |
Critical Note: Amazon strongly recommends upgrading the underlying Language Servers for AWS to version 1.69.0 or higher. This version fixes CVE-2026-12957 as well as a closely related flaw (CVE-2026-12958), which allowed malicious symlinks to execute arbitrary local file writes outside of the workspace trust boundary.
The Broader Shift in AI Agent Security
CVE-2026-12957 is not an isolated incident. Throughout 2025 and 2026, security researchers have increasingly warned about the systemic security risks introduced by the rapid adoption of Model Context Protocol (MCP) integrations. Similar vulnerabilities have been discovered across other leading tools like Claude Code and Cursor, where agents treat external configuration data as trusted, executable instructions.
As AI coding companions evolve from interactive completion engines into fully autonomous workers that can execute terminal commands, edit local files, and interact with production infrastructure, developers must adjust their threat models. Configuration metadata files can no longer be assumed to be benign; they must be guarded with the same zero-trust skepticism applied to unknown executable binaries