RSS

Amazon Q flaw let booby-trapped Git repos execute code, swipe cloud creds

Bender2 pts0 comments

Amazon Q flaw let booby-trapped Git repos execute code, swipe cloud creds

Jump to main content

Search

REG AD

security

Amazon Q flaw let booby-trapped Git repos execute code, swipe cloud creds

Researchers warn many AI coding assistants now execute commands from project configurations

Carly Page

Carly<br>Page

Published<br>fri 26 Jun 2026 // 16:34 UTC

A high-severity flaw in Amazon's AI coding assistant for Visual Studio Code meant that opening the wrong Git repository could allow an attacker to execute code on a developer's machine and potentially hand them the keys to the dev's cloud environment.<br>The bug, tracked as CVE-2026-12957 and assigned a CVSS 4.0 score of 8.5, centers on how Amazon Q handled Model Context Protocol (MCP) server configurations. Wiz found the extension would automatically load a repository's .amazonq/mcp.json file and execute the commands it contained when a developer opened the project and activated Amazon Q.<br>"The security model assumes the user explicitly configures these servers. After all, you're granting an AI assistant permission to run arbitrary commands on your machine. This should require informed consent," the researchers write. "The vulnerability arose when this assumption was violated: Amazon Q automatically loaded MCP configurations from .amazonq/mcp.json within the workspace – no prompt, no consent, no workspace trust check."

REG AD

MCP lets AI assistants launch local processes to carry out tasks. In Amazon Q's case, those processes inherited the developer's environment, giving them access to AWS credentials, API keys, authentication tokens, SSH agent sockets, and other secrets already loaded into the session.

REG AD

"The combination meant that a single malicious config file could execute arbitrary commands with full access to the developer's credentials – no user interaction required beyond opening the folder and activating Amazon Q," Wiz said.<br>To prove the attack worked, Wiz built a repository with a malicious MCP configuration. Opening the project and activating Amazon Q caused the extension to execute a command against AWS using the developer's existing credentials.

MORE CONTEXT

Why Amazon hates 'human-in-the-loop' AI governance

Committed skeptic finds himself warming to new Amazon AI products that actually don't suck

Anthropic's Mythos mess just keeps getting more complicated

There's no such thing as an agentic CPU

Amazon fixed the bug in version 1.65.0 of its language server, which powers Amazon Q's IDE integrations. Existing installations should receive the patched component automatically unless you've blocked automatic updates.<br>"We would like to thank Wiz for collaborating with us on this issue. We have remediated this issue in language server version 1.65.0," Amazon said in an advisory, though it didn't respond to The Register's questions.<br>Wiz argues the bug is less an Amazon problem than an industry one. More and more AI coding assistants are adopting MCP to connect models to local tools and services, allowing them to execute commands on developers' machines.<br>According to the researchers, similar workspace configuration flaws have recently surfaced in other AI coding tools. It suggests attackers have found a new place to lurk: the hidden files that developers rarely think twice about trusting. ®

ai<br>cyber-crime<br>amazon<br>security<br>vulnerability

REG AD

AI AND ML

Google wants AI regulation, but on its own terms

Surely, we can have rules that allow us to continue doing what we're doing

offbeat

US auto regulators want to kill robotaxi brake pedals

Requiring driverless vehicles to keep human brake controls impedes innovation, the NHTSA says

Jiangsu's first AI-powered 10 Gbps all-optical campus network launched at Southeast University

PARTNER CONTENT: Integrating 50G-PON, FTTR-B, Wi-Fi 7, and intelligent AI scheduling to deliver 10 Gbps bidirectional speeds with ultra-low 0.1ms latency across Southeast University

security

Amazon Q flaw let booby-trapped Git repos execute code, swipe cloud creds

Researchers warn many AI coding assistants now execute commands from project configurations

Virtualization

Lessons from the VMwars – nothing virtual about the Broadcom vs Tesco slugfest

Never get involved in a land war in Asia. Also, don't pick a contract fight with a monster of the art

DATABASES

Oracle promises to open up MySQL governance, but the community wants guarantees

Open source advocates remain concerned over lack of binding commitments

MOST POPULAR

systems

Micron locks in historically high memory prices for five years

Personal tech

India and China are home to 2.9 billion people – and together they bought just 13 million PCs in Q1

Channel

Infosys boss says vibe coding is no threat because there’s more to writing software than writing software

Security

Mythos discovers 'Squidbleed,' a memory leak that's gone undetected since Clinton era

Security

Why Amazon hates 'human-in-the-loop' AI governance

AI

AI AND ML

Google wants AI...

amazon execute code security coding commands

Related Articles

US Government directive to suspend access to Fable 5 and Mythos 5

Dylan131224 ptsfable government anthropic jailbreak access mythos

Is AI ruining our skills? Early results are in – and they're not good

Michelangelo1124 ptstools skills during physicians colonoscopies tool

The Anatomy of an AI-Native Org

kiyanwang22 ptstranslated managers business translation language engineering

Apertus – Open Foundation Model for Sovereign AI

T-A16 ptsopen model apertus foundation sovereign fully

How to Earn a Billion Dollars

kingstoned15 ptsmonth become startup growth years billionaire
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.