Amazon Q just let a malicious repo steal every cloud credential your developer has

One config file. One cloned repo. Every AWS credential gone.

Wiz Research just disclosed CVE-2026-12957 in Amazon Q Developer. CVSS 8.5. The attack: a developer opens a malicious repository, trusts the workspace, and Amazon Q executes arbitrary code through an MCP server definition with full access to the developer's environment.

AWS keys. CLI tokens. API secrets. SSH agent sockets. All inherited by the malicious process.

Amazon patched it. But this is the fourth AI coding assistant to fail at the same trust boundary. Claude Code had CVE-2025-59536. Cursor had CVE-2025-54136. Windsurf had CVE-2026-30615. Same pattern: project configuration becomes executable behavior without adequate consent.

The flaw lives in Language Servers for AWS — the runtime powering Amazon Q across VS Code, JetBrains, Eclipse, and Visual Studio. All four plugins were exposed. All four require updating to version 1.69.0 or later.

Your developers are now your attack surface. Every AI coding assistant that reads project configuration files is a potential credential exfiltration vector. The convenience of repo-carried config is exactly what makes it dangerous.

Audit your AI coding tool deployments today. Enforce explicit consent for MCP server execution. Restrict which repositories developers can trust. If you haven't updated Language Servers for AWS to 1.69.0, your developers' cloud sessions are exposed right now.

SOURCE: https://cybernoz.com/amazon-q-developer-flaw-could-let-malicious-repos-run-code-via-mcp-configs/
VERIFIED: Wiz Research disclosure, The Hacker News original report, AWS security bulletin CVE-2026-12957
SIGNAL: This is the fourth AI coding assistant to fail at MCP trust boundaries. The pattern is structural, not incidental — every tool that auto-executes project config is a credential theft vector waiting to be exploited.