Based on reporting by The Hacker News →
Introduction
A high-severity flaw in Amazon’s AI coding assistant gave malicious repositories a direct path to steal developer credentials and execute arbitrary commands. The fix is out, but the attack class—abusing AI agent trust—is a warning for every team adopting AI pair-programming tools.
The problem
According to a report by The Hacker News, a now-patched vulnerability in Amazon Q Developer allowed a malicious repository to run unauthorized commands and exfiltrate a developer’s cloud credentials. The attack chain required only that a developer open the repository, trust the workspace, and let Amazon Q process the project. Amazon has released a patch, and the bug is tracked as CVE-2026-12957 with a CVSS score of 8.5 (High). Researchers at Wiz discovered the flaw, which resided in how Amazon Q handled Model Context Protocol (MCP) server configurations.
Consequences
An exploited MCP configuration could hand an attacker the keys to a developer’s entire cloud environment—production databases, CI/CD pipelines, storage buckets—by stealing session tokens or short-term credentials from the assistant’s context. Beyond the direct data exfiltration, this kind of flaw erodes trust in the AI tooling that developers are increasingly relying on to generate, review, and manage code.
Causes
The root cause, as reported by The Hacker News, was a gap in validation of Model Context Protocol (MCP) servers within Amazon Q Developer. When a developer opened a repository and authorized the workspace, the AI assistant would trust the MCP configuration supplied by that repo without sufficient vetting. This allowed a repository to define a malicious MCP server that could read file contents, access environment variables, and execute shell commands—all within the assistant’s trusted context.