The Silent Threat: How One Malicious File Can Steal Your AWS Credentials
A critical security vulnerability has been identified within the Amazon Q Developer extension for Visual Studio Code (VS Code), exposing developers to high-risk scenarios involving arbitrary code execution and the theft of sensitive cloud credentials. This discovery underscores a growing tension in the modern DevOps lifecycle: the balance between the seamless utility of AI coding assistants and the strict enforcement of security trust boundaries.
The vulnerabilities, tracked under CVE-2026-12957 and CVE-2026-12958, represent significant architectural weaknesses in how AI-driven development tools manage external configurations.
The Mechanics of the Vulnerability
The core of the issue lies in the implementation of the Model Context Protocol (MCP). MCP servers are designed to function as local processes that expand an AI assistant’s utility by allowing it to interface with external APIs, local databases, and specialized system resources. While powerful, these servers introduce a new attack surface.
In the case of Amazon Q, the extension was found to automatically ingest configurations from a hidden .amazonq/mcp.json file located within a workspace directory. Critically, the extension performed this loading process without requesting user authorization or validating the “trust level” of the workspace being opened.
Because these MCP processes are spawned locally, they inherit the full environment of the host user. This inheritance is a developer’s nightmare; it grants the malicious process immediate access to highly sensitive data, including:
- AWS Identity Credentials: Access key IDs, secret access keys, and temporary session tokens.
- Authentication Sockets: SSH agent sockets used for seamless server access.
- Environment Variables: API keys and internal configuration strings.
Exploitation and Attack Vectors
Security researchers at Wiz successfully demonstrated a proof-of-concept (PoC) that highlights the ease of exploitation. By embedding a simple Bash command within a malicious mcp.json file, an attacker can trigger identity-based commands that exfiltrate a developer’s active AWS session to an external, attacker-controlled server.
The “human” element of this attack is what makes it particularly dangerous. An attacker does not need to exploit a complex software bug; they simply need to plant a poisoned configuration file in a repository. The attack is triggered the moment a developer clones the repo and opens it in an IDE where Amazon Q is active. The execution happens silently in the background, often without any visual indication to the user.
Potential delivery methods include:
- Typosquatted Repositories: Mimicking popular open-source projects to lure developers.
- Malicious Pull Requests: Injecting configuration files into legitimate, widely-used projects.
- Social Engineering: Sophisticated threat groups, including those linked to the DPRK, have been known to use fake technical coding tests for job interviews as a vehicle for deploying such repositories.
If successful, the fallout can be catastrophic, ranging from the establishment of persistent backdoors in IAM users to lateral movement within production environments via inherited VPN contexts.
Remediation and Mitigation
The vulnerabilities were discovered by researcher Maor Dokhanian on April 17, 2026. Following a coordinated disclosure process, Amazon deployed critical language server updates starting in mid-May 2026. The two CVEs specifically address improper trust boundary enforcement (CVE-2026-12957) and missing symlink validation (CVE-2026-12958).
To secure your environment, ensure all Amazon Q-related plugins are updated to the latest versions. The following products were identified as vulnerable in previous iterations:
| Product | Affected Component |
|---|---|
| Language Servers for AWS | All older versions |
| Amazon Q Developer for VS Code | All older versions |
| Amazon Q Developer for JetBrains | All older versions |
| Amazon Q Developer for Eclipse | All older versions |
| AWS Toolkit with Amazon Q for Visual Studio | All older versions |
Proactive Defense Strategies:
- Regular Audits: Periodically inspect your workspace directories for unauthorized
.amazonq/folders. - Zero Trust Mindset: Treat all unfamiliar or third-party repositories as untrusted environments.
- Automated Updates: Ensure your IDE and its associated language servers are set to update automatically.
The Broader Context: The MCP Security Frontier
This incident is not an isolated event but rather a symptom of a broader trend within the AI-assisted development ecosystem. We have seen similar auto-execution flaws in other major players, including Claude Code, Cursor, and Windsurf. As AI tools gain deeper access to local system resources to provide better coding assistance, the industry must move toward a standardized, rigorous framework for workspace configuration trust.