Amazon Q Flaw Enabled Cloud Credential Theft via Malicious Repositories

Researchers at Wiz have disclosed a high-severity vulnerability in the Amazon Q Developer extension for Visual Studio Code that could allow attackers to steal developers’ cloud credentials by luring them into opening a booby-trapped code repository. Amazon Q Developer is an AI-powered coding assistant that offers developers features such as code suggestions, automated refactoring, and access to external tools and services via integrations with local processes. AWS was notified about the issue on April 20 and a patch was released on May 12. The cloud giant published a security advisory this week. The root cause of the vulnerability was that the extension would automatically act on configuration files embedded in a workspace without first asking the user for permission.  That meant a malicious repository could quietly run attacker-controlled commands in the background the moment a developer opened it, gaining access to whatever cloud credentials and API keys were loaded in their environment at the time. Attack path examples include fake coding tests like those used by North Korean hackers, a typosquatted open source package, or a malicious pull request to a popular project, Wiz said. Developers authenticated to AWS or other cloud services would be particularly exposed, since active session credentials could be captured and exfiltrated without any visible warning. “The combination of auto-execution, shell spawning, and environment inheritance created a high-severity vulnerability in a widely-used developer tool. A single malicious repository could compromise not just the developer’s local machine, but their cloud infrastructure as well,” Wiz noted. AWS has patched the vulnerability, tracked as CVE-2026-12957, and a related issue involving symbolic link handling (CVE-2026-12958).  Fixes are available across all affected Amazon Q Developer plugins covering VS Code, JetBrains, Eclipse, and Visual Studio, as well as the language server.  “We would like to thank Wiz for collaborating with us on this issue. We have remediated this issue in language server version 1.65.0,” an AWS spokesperson told SecurityWeek. “The AWS Language Server updates automatically unless the customer’s network configuration prevents it, so no action is required in most cases. For existing customers, reloading the IDE will trigger an update to the latest language server version, which includes this fix. If auto-update is blocked, we recommend upgrading to the latest version of the Amazon Q Developer plugin for your IDE. New customers require no action, as the latest patched version will be downloaded automatically,” the AWS spokesperson added. Wiz noted that the underlying issue is not unique to Amazon Q; other researchers have identified similar problems in VS Code and other AI coding tools, including Claude and Cursor. The Google-owned cloud security giant published technical details and PoC code on Friday. Related: GitLab Patches Code Execution, Information Disclosure Vulnerabilities Related: 25-Year-Old Vulnerability Patched in Curl Related: Google Addresses Vertex Security Issues After Researchers Weaponize AI Agents WRITTEN BY Eduard Kovacs Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering. More from Eduard Kovacs Cal Water Says No OT Systems Breached in Iranian Handala Cyberattack Lantronix Serial-to-IP Converter Flaw Exploited in Attacks After OT Threat Warning Cisco SD-WAN Zero-Day Exploited Months Before Patching Microsoft and Allies Smash Shared Infrastructure of Amadey and StealC Malware macOS Weaknesses Chained to Silently Disable Endpoint Security Agents Third DraftKings Hacker Sentenced to 18 Months in Prison Hackers Exploiting Cisco Unified CM Vulnerability Dragos Unveils AI for OT Security  Latest News More Klue Breach Victims Identified as Hackers Get Hacked In Other News: Chinese Mythos-Like AI, Tata Electronics Breach, Snyk Layoffs Nebulock Raises $25 Million for AI-Native Contextual Security Linux Foundation Unveils New Open Source Security Project Akrites $3 Million Reportedly Stolen in Polymarket Hack Russian APT Deploys ‘StockStay’ Backdoor Against Ukrainian Targets First-Ever Exploitation of PTC Windchill Vulnerability Discovered in the Wild New Enterprise-Ready MCP Specification Brings New Security Challenges Trending Webinar: Why Email Security Keeps Failing (And What Has To Change) July 8, 2026 Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more. Register Virtual Event: 2026 Cloud Security Summit July 16, 2026 This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments. Register People on the Move Mark Carter has been appointed Chief Information Security Officer at Socure. Spektrum Labs has named Mark Cravotta Chief Operating Officer. Philip Martin has joined Uber as Chief Information Security Officer. More People On The Move Expert Insights When Information Becomes The Attack Surface – Understanding AI Agent Traps From hidden content injections to cognitive state poisoning, attackers are turning trusted data sources into traps for autonomous AI. (Etay Maor) What The Latest ShinyHunters Breaches Reveal About Modern Cyberattacks Groups like ShinyHunters are demonstrating that attackers do not necessarily need malware or zero-day exploits to cause massive damage. (Torsten George) No Exploits Required Four decades of incident response experience suggest that exploits are often the symptom, not the root cause, of today’s cybersecurity failures. (Tod Beardsley) After AI Reaches Production: 12 Ways Security Teams Can Take Control Security teams need more than visibility into AI applications, they need a repeatable framework for monitoring, investigating, and defending them in production. (Joshua Goldfarb) Everybody Is Vibe Coding But Nobody Told The Security Team AI-driven development is not something organizations can or should block. But it must be governed. (Danelle Au) Flipboard Reddit Whatsapp Email