A high-severity flaw in Amazon Q Developer allowed a malicious code repository to silently execute commands on a developer's machine and steal their AWS credentials. Wiz Research discovered the vulnerability, tracked as CVE-2026-12957, and reported it to Amazon on April 20. Amazon patched the issue on May 12, and the disclosure went public today.

The attack exploited how Amazon Q Developer handles MCP servers, a protocol that lets AI coding assistants connect to external tools and data sources. A configuration file placed inside a repository would automatically register and start an attacker-controlled MCP server the moment a developer cloned the project, with no prompt or consent step. That server inherited the developer's full AWS credentials, IAM role, and any other environment variables available to the IDE plugin.

Wiz researchers demonstrated the attack by building a proof of concept that ran a standard AWS identity command through the malicious MCP server and sent the output to an external server. The command returns the developer's AWS account ID, user ARN, and session credentials, everything an attacker needs to access cloud resources. Because the MCP server launched automatically when the repository opened, the attack required no interaction beyond cloning the code, a pattern that has already enabled supply chain compromises in other AI coding tools.

Amazon fixed the vulnerability by requiring explicit user approval before any MCP server can start, and by restricting the environment variables that MCP servers can access. A second flaw found in the same audit, CVE-2026-12958, revealed that the plugin failed to check for symbolic links when writing workspace files, allowing an attacker to write arbitrary files anywhere on the developer's system. Amazon patched both issues in updated versions of Language Servers for AWS and the corresponding IDE plugins for VS Code, JetBrains, Eclipse, and Visual Studio.

The disclosure adds Amazon Q Developer to a growing list of AI coding tools found vulnerable to supply chain attacks that exploit the trust these tools place in repository contents. Anthropic's Claude Code was found vulnerable to a similar credential-theft attack through prompt injection in GitHub Actions earlier this year. Cursor and Codeium's Windsurf have also disclosed MCP-related vulnerabilities in recent months.

The underlying problem is that MCP, by design, gives AI assistants the ability to call external tools with whatever permissions the host application holds. When a repository can silently register an MCP server that inherits a developer's cloud credentials, the attack surface expands from the code itself to every service the developer can access. Amazon says there is no evidence the flaw was exploited in the wild, and CISA's advisory database lists no known attacks.

Developers using Amazon Q Developer should update their IDE plugins to the latest available versions immediately and audit any repositories they have recently cloned for unexpected configuration files. The broader lesson is the same one that keeps repeating across AI developer tooling: any configuration file that can trigger code execution at clone time is a weapon, and the tools that auto-execute it are the ones holding the safety off.