Amazon Q VS Extension Flaw Leads to Cloud Credential Theft

СLOUD SECURITY VULNERABILITIES & THREATS THREAT INTELLIGENCE CYBER RISK NEWS Amazon Q VS Extension Flaw Leads to Cloud Credential Theft Adversaries could plant a malicious repository that can execute arbitrary code and steal cloud credentials by exploiting the vulnerability, which showcases growing MCP risk. Elizabeth Montalbano,Contributing Writer June 29, 2026 5 Min Read SOURCE: KLATTISAK LAMCHAN VIA ALAMY STOCK PHOTO Amazon Web Services (AWS) has fixed a high-severity security vulnerability in an Amazon Q developer extension that could allow attackers to execute arbitrary code and steal cloud credentials, just by convincing a developer to open a malicious repository. The flaw involves an issue with Model Context Protocol (MCP) servers, which are emerging as a weak security link in organizational artificial intelligence (AI) infrastructure. Researchers from Wiz Research discovered the bug, tracked as CVE-2026-12957, in the Amazon Q Developer extension for Visual Studio Code, according to a recent blog post. The flaw stemmed from Amazon Q's handling of MCP, which by default automatically loaded and executed MCP server configurations from workspace files without requiring user approval.  Because these spawned processes inherited the developer's full environment, an attacker could potentially access AWS credentials, API keys, SSH agent sockets, and other sensitive secrets available in the developer's session, observed Maor Dokhanian, threat researcher at Wiz, in the post. "Combined with full environment inheritance, this enabled immediate code execution," he wrote. Related:Name That Toon: Mark of (Cybersecurity) Progress Wiz disclosed the vulnerability to AWS, which has since remediated the issue with an update to Language Server version 1.65.0. Language Servers for AWS provide the underlying language-server runtime that powers Amazon Q Developer's AI coding assistance across IDE plug-ins for Visual Studio Code, JetBrains, Eclipse, and Visual Studio. Still, the flaw represents "part of a broader pattern affecting AI coding tools" when it comes to the greater MCP ecosystems, according to Dokhanian, who cited similar issues that have been independently discovered by OX Security and Check Point. "Similar vulnerabilities involving the automatic execution of workspace configurations, particularly through the MCP, have been identified by external researchers in Claude Code (CVE-2025-59536, CVE-2026-21852), Cursor (CVE-2025-54136), and Windsurf (CVE-2026-30615)," he tells Dark Reading. MCP Server Abuse Path Indeed, MCP servers, the glue that links AI agents with other enterprise systems, can expose troves of sensitive organizational data when compromised by adversaries. And experts have noted that MCP issues present risks that can't be addressed immediately via patching or configuration changes because they exist at the architectural level in both large language models (LLMs) and in MCP itself. In this case, the MCP issue affects the development environment, which can extend into numerous cloud assets and even the supply chain due to the permissions developers have. An attacker could exploit the flaw by creating a malicious developer repository that would, based on the inherent behavior of Amazon Q regarding the MCP server, gain access to cloud credentials, Dokhanian explains. Related:LatAm Vibe Hackers Generate Custom Hacking Tools on the Fly "This is a realistic threat model and aligns with techniques already used against enterprise environments," he says. "Developers regularly interact with third-party code, creating multiple opportunities for attackers to deliver a malicious repository through things like social engineering, fake job interviews, malicious pull requests, typosquatting, or compromised dependencies." An attack scenario would begin when a developer clones either a malicious or typosquatted package and then opens the folder in VS Code with Amazon Q installed. The scenario sets off the execution of malicious configurations before a developer has even reviewed a single line of code, Dokhanian says. "When the victim activates Amazon Q, the extension loads and executes the malicious MCP configuration — without prompting for consent," Dokhanian explained in the post. "The attacker's payload runs with access to the victim's AWS credentials." Related:Hugging Face Packages Weaponized With a Single File Tweak And because execution occurs silently when the repository is opened and the extension initializes, before the developer reviews the source code, "traditional code review processes offer little protection," he tells Dark Reading. Other potential malicious scenarios that exploitation spawns include cloud persistence through backdoor IAM users, access keys, or infrastructure; access to internal services via inherited VPN/network context; supply chain attacks targeting maintainers of popular projects; and lateral movement if the developer has access to production systems, he adds. Wiz tested a proof-of-concept exploit of the flaw and found that the command "aws sts get-caller-identity" successfully captured the developer's active AWS session, thus demonstrating how an attacker could escalate from code execution to cloud compromise. Secure AI Coding Assistants, MCP Servers Regarding CVE-2026-12957, given Amazon's update, no immediate action is needed for anyone using AWS Language Server version 1.65.0 or later. However, the flaw ultimately demonstrates a growing risk as AI coding assistants become deeply integrated into developer workflows, Dokhanian explains. "These tools now have access to trusted developer environments, making them attractive targets for attackers," he says. "These tools now have access to trusted developer environments, making them attractive targets for attackers." Indeed, AI coding assistants have emerged as a legitimate attack surface and require defenders to consider them as they adopt security for an overall corporate environment, observes Rohit Valia, CEO of cybersecurity company Tumeryk. "Organizations need to treat every AI tool with environment access as a potential credential exfiltration path," he says. "They need to ensure there are AI guardrails to block access for every AI tool use unless it is an approved action with real-time risk scoring of the prompts and responses for continuous observability.” Dokhanian echoes this sentiment, noting that as AI assistants become more capable, "they should be evaluated with the same security rigor as operating systems, browsers, and other core developer infrastructure." Defenders also should review MCP consent prompts carefully and, if Amazon Q or another AI coding assistant displays an "Untrusted MCP Server" warning, they should inspect the command before allowing it. Organizations also should audit MCP configurations by reviewing any MCP server configurations in an environment to ensure it is not introducing a security issue, according to Wiz. Don't miss the latest Dark Reading Confidential podcast, Do CISOs Need a Code of Ethics?. Kickbacks, no-show jobs, "dirty" VCs, and shelf ware — industry expert Robert "RSnake" Hansen explains why he thinks it's time for a CISO code of ethics. It could ensure cybersecurity bosses aren't engaged in self-dealing that could risk enterprise, and even national, security. Listen now! About the Author Elizabeth Montalbano Contributing Writer Elizabeth Montalbano is freelance writer, editor, and  journalist with 30 years of professional experience and a master's degree from Arizona State University. Her areas of expertise include enterprise technology, cybersecurity, business, and culture. During her long career, Elizabeth has lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City. She specializes in news coverage and analysis, using her years of experience to look at the current state of cybersecurity with a critical gaze. She currently resides in a village on the southwest coast of Portugal, where in her free time she enjoys surfing, hiking with her dogs, growing plants, and playing and performing as a singer and musician. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports The State of Cloud Security: The Latest Challenges The total economic impact™ of Snyk How Organizations Are Managing Incident Response How Enterprises Are Developing Secure Applications Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy Access More Research Webinars Practical Zero Trust Implementation on a Budget in the Age of Mythos Building a Risk Based Vulnerability Management Program Threat Hunting That Gets Big Results Despite Small Budgets Say Yes to AI: Securing Innovation Without Compromise Zero Trust Identity: Beyond Traditional Authentication More Webinars You May Also Like СLOUD SECURITY CSA: CISOs Should Prepare for Post-Mythos Exploit Storm by Alexander Culafi APR 13, 2026 СLOUD SECURITY APT41 Delivers 'Zero-Detection' Backdoor to Harvest Cloud Credentials by Elizabeth Montalbano APR 13, 2026 СLOUD SECURITY The Cloud Edge Is the New Attack Surface by Robert Lemos, Contributing Writer SEP 17, 2025 СLOUD SECURITY Phishing Empire Runs Undetected on Google, Cloudflare by Elizabeth Montalbano, Contributing Writer SEP 04, 2025 Editor's Choice CYBERSECURITY OPERATIONS Do CISOs Need a Code of Ethics? byDark Reading Editorial Team JUN 24, 2026 CYBERSECURITY OPERATIONS 2026 FIFA World Cup Faces Surge in Cyber Threats byAlexander Culafi JUN 24, 2026 3 MIN READ CYBERSECURITY OPERATIONS EU Gets a Head Start in Developing 6G Network Security byNate Nelson JUN 18, 2026 4 MIN READ Want more Dark Reading stories in your Google search results? Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE AUG 1-6 | MANDALAY BAY, LAS VEGAS USE CODE: DARKREADING & SAVE $200 ON A BRIEFINGS PASS OR $100 ON A BUSINESS PASS The premier cybersecurity event returns. GET YOUR PASS