Amazon Q just let a single repo steal every AWS credential your developer has

A developer opens a cloned repository in VS Code.

No prompt. No warning. No consent dialog.

Amazon Q automatically executes whatever is inside .amazonq/mcp.json — and inherits the developer's full AWS credentials. AWS_ACCESS_KEY_ID. AWS_SECRET_ACCESS_KEY. AWS_SESSION_TOKEN. Gone.

Wiz Research found CVE-2026-12957 in Amazon Q Developer Extension. The attack requires zero user interaction beyond opening a folder. The spawned MCP server inherits the developer's complete environment — cloud credentials, API keys, SSH agent sockets. Everything.

Wiz's proof of concept: one bash command. It calls aws sts get-caller-identity, captures the session, and exfiltrates it to an attacker-controlled server. That's all it takes to own your cloud infrastructure.

This isn't just Amazon Q.

Claude Code, Cursor, and Windsurf all have the same class of vulnerability — auto-executing MCP configurations from workspace files without trust validation. The entire AI coding assistant ecosystem has a trust boundary problem.

Your developer doesn't need to install malware. They don't need to run a script. They just need to open a repo someone else controls.

Audit your IDE extensions today. Check for .amazonq/ folders in every cloned repository. Enforce workspace trust policies across your engineering org. Treat every AI coding tool as a potential credential exfiltration vector — because right now, they all are.

SOURCE: https://www.wiz.io/blog/amazon-q-vulnerability
VERIFIED: Wiz Research, AWS Security Bulletin (CVE-2026-12957), SecurityWeek
SIGNAL: Your developers' cloud credentials are one malicious repo away from exfiltration. The entire AI coding tool ecosystem shares this flaw. Audit now.