{"id":735778,"date":"2026-06-27T07:45:24","date_gmt":"2026-06-27T04:45:24","guid":{"rendered":"https:\/\/buradabiliyorum.com\/en\/amazon-q-developer-flaw-let-malicious-repos-steal-aws-credentials-via-rogue-mcp-servers\/"},"modified":"2026-06-27T07:45:24","modified_gmt":"2026-06-27T04:45:24","slug":"amazon-q-developer-flaw-let-malicious-repos-steal-aws-credentials-via-rogue-mcp-servers","status":"publish","type":"post","link":"https:\/\/buradabiliyorum.com\/en\/amazon-q-developer-flaw-let-malicious-repos-steal-aws-credentials-via-rogue-mcp-servers\/","title":{"rendered":"Amazon Q Developer flaw let malicious repos steal AWS credentials via rogue MCP servers"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_85 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<label for=\"ez-toc-cssicon-toggle-item-6a42b71f6f9e0\" class=\"ez-toc-cssicon-toggle-label\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #dd3333;color:#dd3333\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #dd3333;color:#dd3333\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input type=\"checkbox\"  id=\"ez-toc-cssicon-toggle-item-6a42b71f6f9e0\" checked aria-label=\"Toggle\" \/><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/buradabiliyorum.com\/en\/amazon-q-developer-flaw-let-malicious-repos-steal-aws-credentials-via-rogue-mcp-servers\/#TLDR\" >TL;DR<\/a><\/li><\/ul><\/nav><\/div>\n<p><img decoding=\"async\" src=\"https:\/\/media.thenextweb.com\/2026\/06\/amazon-q-developer-mcp-flaw-aws-credentials-stolen.avif\" \/><\/p>\n<div id=\"article-main-content\">\n<div class=\"postContent-tldr\">\n<h4 class=\"postContent-offsetTitle\"><span class=\"ez-toc-section\" id=\"TLDR\"><\/span>TL;DR<span class=\"ez-toc-section-end\"><\/span><\/h4>\n<p><em>A flaw in Amazon Q Developer auto-loaded rogue MCP servers from cloned repos, letting attackers steal AWS credentials silently.<\/em><\/p>\n<\/div>\n<p><a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/thehackernews.com\/2026\/06\/amazon-q-developer-flaw-could-let.html\" target=\"_blank\" rel=\"nofollow noopener\">A high-severity flaw in Amazon Q Developer allowed a malicious code repository<\/a> to silently execute commands on a developer\u2019s machine and steal their AWS credentials. Wiz Research discovered the vulnerability, tracked as CVE-2026-12957, and reported it to Amazon on April 20. Amazon patched the issue on May 12, and the disclosure went public today.<\/p>\n<p>The attack exploited how Amazon Q Developer handles MCP servers, a protocol that lets AI coding assistants connect to external tools and data sources. A configuration file placed inside a repository would automatically register and start an attacker-controlled MCP server the moment a developer cloned the project, with no prompt or consent step. That server inherited the developer\u2019s full AWS credentials, IAM role, and any other environment variables available to the IDE plugin.<\/p>\n<p>Wiz researchers demonstrated the attack by building a proof of concept that ran a standard AWS identity command through the malicious MCP server and sent the output to an external server. The command returns the developer\u2019s AWS account ID, user ARN, and session credentials, everything an attacker needs to access cloud resources. Because the MCP server launched automatically when the repository opened, the attack required no interaction beyond cloning the code, a pattern that has already enabled supply chain compromises in other AI coding tools.<\/p>\n<div class=\"inarticle-wrapper channel-cta\">\n<div class=\"ica-text\">\n<p class=\"ica-text__title\">TNW City Coworking space &#8211; Where your best work h<a href=\"https:\/\/buradabiliyorum.com\/en\/category\/download-scripts-themes-apps\/\" data-internallinksmanager029f6b8e52c=\"9\" title=\"Download Scripts &amp; Themes &amp; Apps\" target=\"_blank\" rel=\"noopener\">app<\/a>ens<\/p>\n<p>A workspace designed for growth, collaboration, and endless networking opportunities in the heart of tech.<\/p>\n<\/div>\n<\/div>\n<p>Amazon fixed the vulnerability by requiring explicit user approval before any MCP server can start, and by restricting the environment variables that MCP servers can access. A second flaw found in the same audit, CVE-2026-12958, revealed that the plugin failed to check for symbolic links when writing workspace files, allowing an attacker to write arbitrary files anywhere on the developer\u2019s system. Amazon patched both issues in updated versions of Language Servers for AWS and the corresponding IDE plugins for VS Code, JetBrains, Eclipse, and Visual Studio.<\/p>\n<p>The disclosure adds Amazon Q Developer to a growing list of AI coding tools found vulnerable to supply chain attacks that exploit the trust these tools place in repository contents. Anthropic\u2019s Claude Code was found vulnerable to a similar credential-theft attack through prompt injection in GitHub Actions earlier this year. Cursor and Codeium\u2019s Windsurf have also disclosed MCP-related vulnerabilities in recent months.<\/p>\n<p>The underlying problem is that MCP, by design, gives AI assistants the ability to call external tools with whatever permissions the host application holds. When a repository can silently register an MCP server that inherits a developer\u2019s cloud credentials, the attack surface expands from the code itself to every service the developer can access. Amazon says there is no evidence the flaw was exploited in the wild, and CISA\u2019s advisory database lists no known attacks.<\/p>\n<p>Developers using Amazon Q Developer should update their IDE plugins to the latest available versions im<a href=\"https:\/\/buradabiliyorum.com\/en\/category\/social-mediaa\/\" data-internallinksmanager029f6b8e52c=\"1\" title=\"Social Media\" target=\"_blank\" rel=\"noopener\">media<\/a>tely and audit any repositories they have recently cloned for unexpected configuration files. The broader lesson is the same one that keeps repeating across AI developer tooling: any configuration file that can trigger code execution at clone time is a weapon, and the tools that auto-execute it are the ones holding the safety off.<\/p>\n<\/p><\/div>\n<blockquote><p><strong><span style=\"color: #ff6600;\">If you liked the article, do not forget to share it with your friends. Follow us on\u00a0<span style=\"color: #ff0000;\"><a style=\"color: #ff0000;\" href=\"https:\/\/news.google.com\/publications\/CAAqBwgKMN63nwsw68G3Aw\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Google News<\/a><\/span>\u00a0too, click on the star and choose us from your favorites.<\/span><\/strong><\/p><\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\"><strong>If you want to read more like this article, you can visit our <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/buradabiliyorum.com\/en\/category\/technology\/\" target=\"_blank\" >Technology category.<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<p><span style=\"color: black;\"><a style=\"color: #ff9900;\" href=\"https:\/\/thenextweb.com\/news\/amazon-q-developer-mcp-flaw-aws-credentials-stolen\" target=\"_blank\" >Source<\/a><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>TL;DR A flaw in Amazon Q Developer auto-loaded rogue MCP servers from cloned repos, letting attackers steal AWS credentials silently. A high-severity flaw in Amazon Q Developer allowed a malicious code repository to silently execute commands on a developer\u2019s machine and steal their AWS credentials. Wiz Research discovered the vulnerability, tracked as CVE-2026-12957, and reported&#8230;<\/p>\n","protected":false},"author":1,"featured_media":735779,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/media.thenextweb.com\/2026\/06\/amazon-q-developer-mcp-flaw-aws-credentials-stolen.avif","fifu_image_alt":"","footnotes":""},"categories":[18],"tags":[],"class_list":["post-735778","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technology"],"_links":{"self":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/735778","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/comments?post=735778"}],"version-history":[{"count":0,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/735778\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media\/735779"}],"wp:attachment":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media?parent=735778"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/categories?post=735778"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/tags?post=735778"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}