What happened
Researchers at Wiz disclosed a high-severity vulnerability in the Amazon Q Developer extension for Visual Studio Code that could allow attackers to steal developers’ cloud credentials through malicious code repositories.
Amazon Q Developer is an AI-powered coding assistant that provides code suggestions, automated refactoring, and integrations with local tools and services.
The flaw stemmed from the extension automatically acting on configuration files embedded in a developer workspace without first asking for user permission. That meant a malicious repository could trigger attacker-controlled commands in the background as soon as a developer opened it.
If the developer was already authenticated to AWS or other cloud services, active credentials and API keys available in the local environment could be captured and exfiltrated without any visible warning.
Potential attack paths included fake coding tests, typosquatted open-source packages, or malicious pull requests to popular projects. In each scenario, the attacker’s goal would be to convince a developer to open a repository that silently abuses the vulnerable extension behavior.
AWS was notified of the issue on April 20 and released a patch on May 12. The vulnerability is tracked as CVE-2026-12957.
AWS also patched a related symbolic link handling issue tracked as CVE-2026-12958.
Fixes are available across affected Amazon Q Developer plugins for Visual Studio Code, JetBrains, Eclipse, and Visual Studio, as well as the Amazon Q Developer language server.
AWS said the language server updates automatically unless a customer’s network configuration blocks the update. Existing users can reload their IDE to trigger the update, while customers whose environments block auto-updates should upgrade to the latest Amazon Q Developer plugin for their IDE.
Who is affected
Developers using affected Amazon Q Developer plugins may be affected, especially those using Visual Studio Code, JetBrains, Eclipse, or Visual Studio with vulnerable versions of the extension or language server.
The risk is highest for developers who open untrusted repositories while authenticated to AWS, cloud services, source control platforms, or other developer tools.
Organizations may also be affected if developers have active cloud credentials, API keys, environment variables, or privileged access available on local machines when a malicious repository is opened.
Why CISOs should care
This vulnerability shows how AI coding assistants can become part of the software supply chain attack surface. The issue was not a traditional cloud misconfiguration or exposed key. It involved a developer tool automatically acting on workspace configuration in a way that could expose local credentials.
For CISOs, the main concern is the bridge between developer endpoints and cloud infrastructure. A malicious repository could compromise a developer’s local environment and then use stolen credentials to access cloud resources, CI/CD systems, source code, or production-adjacent services.
The attack path is also realistic. Developers routinely open coding tests, pull requests, open-source repositories, and third-party sample projects. If those repositories can influence AI coding tools or local extensions without clear approval, the repository itself becomes an execution and credential theft vector.
The broader lesson is that AI-assisted development tools need the same governance as other privileged developer tooling. Extensions, language servers, IDE plugins, and AI agents should be reviewed for execution behavior, permission prompts, update status, and access to sensitive environment data.
3 practical actions
- Update Amazon Q Developer plugins and language servers: AWS patched CVE-2026-12957 and CVE-2026-12958. CISOs should confirm that affected IDE plugins and the Amazon Q Developer language server have updated, especially in environments where auto-updates may be blocked.
- Restrict what developer tools can execute from workspaces: The vulnerability involved automatic action on configuration files embedded in a repository. Security teams should review IDE, extension, and AI coding assistant settings to limit automatic command execution from untrusted repositories.
- Reduce credential exposure on developer machines: Developers authenticated to AWS or other cloud services were especially exposed. Organizations should limit long-lived credentials, use short-lived tokens, isolate high-risk development work, monitor credential access, and rotate keys if a suspicious repository may have been opened.
John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.