Amazon Q flaw let booby-trapped Git repos execute code, swipe cloud creds

A high-severity flaw in Amazon's AI coding assistant for Visual Studio Code meant that opening the wrong Git repository could allow an attacker to execute code on a developer's machine and potentially hand them the keys to the dev's cloud environment. The bug, tracked as CVE-2026-12957 and assigned a CVSS 4.0 score of 8.5, centers on how Amazon Q handled Model Context Protocol (MCP) server configurations. Wiz found the extension would automatically load a repository's .amazonq/mcp.json file and execute the commands it contained when a developer opened the project and activated Amazon Q. "The security model assumes the user explicitly configures these servers. After all, you're granting an AI assistant permission to run arbitrary commands on your machine. This should require informed consent," the researchers write. "The vulnerability arose when this assumption was violated: Amazon Q automatically loaded MCP configurations from .amazonq/mcp.json within the workspace - no prompt, no consent, no workspace trust check." MCP lets AI assistants launch local processes to carry out tasks. In Amazon Q's case, those processes inherited the developer's environment, giving them access to AWS credentials, API keys, authentication tokens, SSH agent sockets, and other secrets already loaded into the session. "The combination meant that a single malicious config file could execute arbitrary commands with full access to the developer's credentials - no user interaction required beyond opening the folder and activating Amazon Q," Wiz said. To prove the attack worked, Wiz built a repository with a malicious MCP configuration. Opening the project and activating Amazon Q caused the extension to execute a command against AWS using the developer's existing credentials. Amazon fixed the bug in version 1.65.0 of its language server, which powers Amazon Q's IDE integrations. Existing installations should receive the patched component automatically unless you've blocked automatic updates. "We would like to thank Wiz for collaborating with us on this issue. We have remediated this issue in language server version 1.65.0," Amazon said in an advisory, though it didn't respond to The Register's questions. Wiz argues the bug is less an Amazon problem than an industry one. More and more AI coding assistants are adopting MCP to connect models to local tools and services, allowing them to execute commands on developers' machines. According to the researchers, similar workspace configuration flaws have recently surfaced in other AI coding tools. It suggests attackers have found a new place to lurk: the hidden files that developers rarely think twice about trusting. (R)