Amazon Q Developer MCP Flaw Exposed AWS Credentials on Repo Open

Cloning a repository and opening it in your IDE is about as routine as software development gets. According to The Hacker News, a now-patched vulnerability in Amazon Q Developer turned that routine action into a potential credential handoff: a malicious `.amazonq/mcp.json` file placed in a workspace could cause Amazon Q to automatically launch attacker-controlled MCP servers when a developer opened and trusted the repository, with those processes inheriting the developer's full environment.

The flaw, tracked as CVE-2026-12957 with a CVSS score of 8.5, exposed AWS credentials, cloud CLI tokens, API secrets, and SSH agent sockets to whatever MCP server the config file specified. No additional steps were required beyond opening and trusting the workspace -- the auto-launch behavior did the rest, enabling attackers to compromise cloud infrastructure without additional authentication steps.

Researchers at Wiz demonstrated the attack by running `aws sts get-caller-identity` through a malicious MCP configuration, capturing active AWS session credentials and transmitting them to an attacker-controlled server. Wiz reported the flaw on April 20, 2026; Amazon released a patch on May 12.

The fix landed in Language Servers for AWS 1.65.0, with Amazon recommending users update to 1.69.0, which also addresses a related symlink flaw (CVE-2026-12958) that enabled arbitrary file writes. Minimum patched plugin versions vary by IDE: VS Code requires 2.20 or later, JetBrains 4.3 or later, Eclipse 2.7.4 or later, and Visual Studio toolkit 1.94.0.0 or later.

The honest caveat is that no known public exploitation has been reported, and the disclosure came coordinated with the patch rather than before it. What the reporting does not address is whether similar auto-execute behavior exists in other AI coding assistants that process MCP configurations from workspace files -- the pattern is not unique to Amazon Q. For teams using Q Developer, updating the IDE plugin is the immediate action. The broader signal is a prompt to audit which other tools in your development environment auto-load and launch configurations from files that originate outside your control.