Researchers at Wiz have disclosed a high-severity vulnerability in the Amazon Q Developer extension for Visual Studio Code that could allow attackers to steal developers’ cloud credentials by luring them into opening a booby-trapped code repository.
Amazon Q Developer is an AI-powered coding assistant that offers developers features such as code suggestions, automated refactoring, and access to external tools and services via integrations with local processes.
AWS was notified about the issue on April 20 and a patch was released on May 12. The cloud giant published a security advisory this week.
The root cause of the vulnerability was that the extension would automatically act on configuration files embedded in a workspace without first asking the user for permission.
That meant a malicious repository could quietly run attacker-controlled commands in the background the moment a developer opened it, gaining access to whatever cloud credentials and API keys were loaded in their environment at the time.
Attack path examples include fake coding tests like those used by North Korean hackers, a typosquatted open source package, or a malicious pull request to a popular project, Wiz said.
Developers authenticated to AWS or other cloud services would be particularly exposed, since active session credentials could be captured and exfiltrated without any visible warning.
“The combination of auto-execution, shell spawning, and environment inheritance created a high-severity vulnerability in a widely-used developer tool. A single malicious repository could compromise not just the developer’s local machine, but their cloud infrastructure as well,” Wiz noted.
AWS has patched the vulnerability, tracked as CVE-2026-12957, and a related issue involving symbolic link handling (CVE-2026-12958).
Fixes are available across all affected Amazon Q Developer plugins covering VS Code, JetBrains, Eclipse, and Visual Studio, as well as the language server.
“We would like to thank Wiz for collaborating with us on this issue. We have remediated this issue in language server version 1.65.0,” an AWS spokesperson told SecurityWeek.
“The AWS Language Server updates automatically unless the customer’s network configuration prevents it, so no action is required in most cases. For existing customers, reloading the IDE will trigger an update to the latest language server version, which includes this fix. If auto-update is blocked, we recommend upgrading to the latest version of the Amazon Q Developer plugin for your IDE. New customers require no action, as the latest patched version will be downloaded automatically,” the AWS spokesperson added.
Wiz noted that the underlying issue is not unique to Amazon Q; other researchers have identified similar problems in VS Code and other AI coding tools, including Claude and Cursor.
The Google-owned cloud security giant published technical details and PoC code on Friday.
Related: GitLab Patches Code Execution, Information Disclosure Vulnerabilities
Related: 25-Year-Old Vulnerability Patched in Curl
Related: Google Addresses Vertex Security Issues After Researchers Weaponize AI Agents
