AWS Fixes Amazon Q Flaw That Let Attackers Steal Cloud Credentials Silently

AWS patches a high-severity flaw in Amazon Q for VS Code, preventing credential theft from malicious repositories. Update now to protect data.

By Content Team

Jun 30, 2026

ON THIS PAGE

Share

---

ON THIS PAGE

Want more insights like this?

Subscribe to our newsletter to get the latest software protection strategies delivered to your inbox.

By submitting your email, you consent to Codekeeper contacting you and agree to our privacy policy.

AWS has patched a high-severity bug in the Amazon Q Developer extension for Visual Studio Code that could let attackers steal cloud credentials just by getting a developer to open a malicious repository. Tracked as CVE-2026-12957 and discovered by Wiz Research, the flaw allowed Amazon Q to automatically load and execute MCP server configurations without user approval — silently, before any code review happened.

Because spawned processes inherited the developer's full environment, attackers could grab AWS credentials, API keys, and SSH secrets. The fix landed in Language Server version 1.65.0. Similar MCP-related vulnerabilities have also been found in Claude Code, Cursor, and Windsurf.

Source: Dark Reading

Share this article

Have questions about protecting your software?

Our escrow experts are standing by to help.

Book a free demo

YOU MAY ALSO LIKE

Teens Behind 2024 TfL Cyber-Attack Were Already on Police Radar

Jun 26, 2026

Critical Microsoft Word Zero-Day Exploited in Wild Attacks

Mar 3, 2026

Adobe Patches Zero-Day Vulnerability Exploited for Months

Apr 14, 2026

Python Repositories Hit by Sophisticated Malware Campaign Using Stolen VS Code Credentials

Mar 17, 2026