MCP Auto-Execution: From Git Clone to Cloud Compromise in Amazon Q VS Code Extension

2026-06-26 · Source: wiz.io - Www.wiz.io · Field: Technology & Digital — Cybersecurity & Data Privacy, Artificial Intelligence & Machine Learning, Software Development & Engineering · Depth: Intermediate, medium

Summary

Wiz Research identified a high-severity vulnerability, CVE-2026-12957, in the Amazon Q Developer Extension for Visual Studio Code. This flaw allowed attackers to achieve arbitrary code execution and cloud credential theft by simply having a developer open a malicious repository. Amazon Q, an AI-powered coding assistant, automatically loaded Model Context Protocol (MCP) server configurations from workspace files without user consent, and combined with full environment inheritance, this enabled immediate code execution. The issue affected language server versions prior to 1.65.0 and has since been remediated by Amazon in version 1.65.0. This vulnerability is part of a broader pattern of MCP auto-execution risks found across other AI coding tools, including findings by OX Security and Check Point.

Key takeaway

For AI Engineers or Software Engineers using VS Code with AI coding assistants, understand that opening untrusted repositories can lead to immediate system compromise. Your development environment's deep integration with tools like Amazon Q means malicious workspace configurations can execute silently. This could steal cloud credentials or enable supply chain attacks. Always scrutinize MCP consent prompts and review unfamiliar ".amazonq/" folders to mitigate this systemic risk.

Key insights

AI coding tools' auto-execution of workspace configurations without consent poses a systemic risk for code execution and credential theft.

Principles

• Treat workspace configs as untrusted input.
• Require explicit consent for code execution.
• Limit environment inheritance for spawned processes.

In practice

• Review MCP consent prompts carefully.
• Check for unexpected ".amazonq/" folders.
• Audit existing MCP server configurations.

Topics

• Amazon Q Developer
• Visual Studio Code
• Model Context Protocol
• Supply Chain Security
• Cloud Security
• Arbitrary Code Execution
• CVE-2026-12957

Code references

• aws/language-servers

Best for: CTO, VP of Engineering/Data, Director of AI/ML, AI Security Engineer, Software Engineer, AI Engineer

Related on AIssential

• Claude Code can destroy your database — AI-driven cloud code risks dangerous, unintended actions like database deletion because current security tools lack contextual understanding.
• Run Untrusted AI Agent Code Safely with Azure Container Apps Sandboxes — Azure Container Apps Sandboxes provide hardware-isolated microVMs for securely executing untrusted AI agent code, preventing host compromise.
• GitHub confirms 3,800 internal repos stolen through poisoned VS Code extension as supply chain worm hits Microsoft’s Python SDK — Chained supply chain and AI agent vulnerabilities are actively exploited, bypassing traditional security measures.
• Harden your pipeline perimeter for the era of AI-assisted coding — Modern development pipelines require a unified control plane to secure the convergence of human, AI, and third-party code.
• Mitigating Indirect AGENTS.md Injection Attacks in Agentic Environments — Compromised dependencies can exploit AI agents via AGENTS.md injection, creating stealthy supply chain risks.
• GitHub Expands Secret Scanning with General Availability of MCP Server Integration — GitHub's MCP Server integration extends secret scanning to AI-driven workflows, enabling automated credential detection and remediation.

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by wiz.io - Www.wiz.io.