Amazon Q Developer Flaw Lets Malicious Repos Steal Your Cloud Credentials
A critical vulnerability in Amazon’s Q Developer VS Code extension allows attackers to steal AWS cloud credentials simply by getting a developer to open a malicious Git repository. The flaw, discovered by security researchers at Wiz, exploits the Model Context Protocol (MCP) auto-execution feature built into the extension.
The attack works because Q Developer’s VS Code extension automatically reads MCP configuration files from any repository a developer opens. If an attacker places a specially crafted MCP config in a public GitHub repository, the extension will execute commands defined in that config without any user confirmation.
How the Attack Works
The attack chain is straightforward. First, the attacker creates a public GitHub repository containing a malicious .amazonq/mcp.json file. This file defines an MCP server that, when loaded by the Q Developer extension, runs arbitrary code on the developer’s machine.
When a developer clones and opens this repository in VS Code with the Q Developer extension installed, the extension automatically reads the MCP config and starts the defined server. The server code can then access environment variables, AWS credentials stored in ~/.aws/credentials, and any secrets configured on the developer’s machine.
The stolen credentials are sent to an attacker-controlled server, giving the attacker direct access to the victim’s AWS infrastructure. From there, they can access S3 buckets, EC2 instances, databases, and any other AWS service the compromised credentials have permissions for.
AWS Response
Amazon has acknowledged the vulnerability and released a patch that adds user confirmation prompts before executing MCP configurations from untrusted repositories. The fix requires users to manually approve MCP server configurations before they are activated.
However, security researchers note that the patch depends on developers actually reviewing and approving the prompts rather than clicking through them reflexively. In practice, many developers dismiss security prompts quickly, especially when they appear to be related to normal development workflows.
What Developers Should Do Now
If you use the Amazon Q Developer extension in VS Code, update it immediately. Beyond that, several steps can reduce your exposure:
- Avoid opening repositories you do not trust in VS Code with AI extensions enabled
- Store AWS credentials in environment variables or secret managers rather than local credential files
- Use AWS IAM roles with minimum required permissions for development work
- Enable AWS CloudTrail to log all API calls and set up alerts for unusual access patterns
- Consider using AWS SSO instead of long-lived access keys
The Broader MCP Risk
The MCP auto-execution vulnerability is not unique to Amazon Q Developer. The MCP specification allows AI coding assistants to define tools that run arbitrary code on a developer’s machine. Any AI coding tool that implements MCP without strict sandboxing faces the same category of risk.
GitHub Copilot, Cursor, and other AI coding tools that support MCP configurations should be evaluated for similar auto-execution behaviors. Developers who use multiple AI coding tools should audit each one’s MCP implementation and disable auto-execution where possible.
Frequently Asked Questions
What is the Amazon Q Developer MCP vulnerability?
A critical flaw in the Amazon Q Developer VS Code extension allows malicious Git repositories to execute arbitrary code by embedding commands in MCP configuration files. This can steal AWS credentials and cloud secrets from the developer’s machine.
How do I know if I am affected?
If you have the Amazon Q Developer extension installed in VS Code, you are potentially affected. Check that you are running the latest version of the extension, which includes the fix that requires manual approval of MCP configurations.
Can this attack steal my AWS credentials?
Yes. The attack can access AWS credentials stored in ~/.aws/credentials and any environment variables containing AWS secrets. Once stolen, these credentials give the attacker full access to your AWS resources.
Is this vulnerability unique to Amazon Q Developer?
No. Any AI coding tool that implements MCP with auto-execution capabilities faces similar risks. The MCP specification allows arbitrary code execution, and tools that do not properly sandbox this behavior are all vulnerable to this class of attack.
What is the Model Context Protocol (MCP)?
MCP is a specification that allows AI assistants to connect to external tools and data sources. It enables AI coding tools to interact with databases, APIs, and other services. The vulnerability occurs when AI tools automatically execute MCP configurations without user confirmation.
