An AI Coding Tool Built Into Millions of Developer Setups Had a Flaw That Could Hand Hackers Your Cloud Keys
A security hole in Amazon's AI coding assistant let criminals steal cloud passwords just by getting a developer to open a poisoned folder. It's patched — but the attack method is spreading.

Key points
- Amazon Web Services patched a high-severity flaw tracked as CVE-2026-12957 in its Amazon Q Developer coding assistant in 2025.
- The bug let criminals steal a developer's cloud login credentials — the digital keys that control an entire company's cloud infrastructure — without the developer doing anything beyond opening a folder.
- Researchers at cloud security firm Wiz Research discovered and reported the vulnerability to AWS.
- AWS fixed the issue in Language Server version 1.65.0; anyone running that version or later is protected.
- Identical design weaknesses have now turned up in at least three other popular AI coding tools: Claude Code, Cursor, and Windsurf.
Imagine you download what looks like a normal software project from the internet, open the folder on your laptop, and in the background — before you've read a single line of code — an invisible script reaches into your computer and copies the passwords to your employer's entire cloud account. That is exactly what CVE-2026-12957 enabled.
The affected product is Amazon Q Developer, an AI-powered coding assistant — a tool that watches a programmer write code and suggests improvements in real time — built into the popular code editor Visual Studio Code. Millions of professional developers use it daily.
How did the hackers get in?
The entry point was something called an MCP server — short for Model Context Protocol server, which is essentially a plug-in that lets AI tools connect to other business systems. Amazon Q was set to automatically run instructions from these plug-ins the moment a developer opened a project folder, with no warning and no approval click required.
A criminal could create a fake or poisoned project folder — disguised as a useful open-source library, a job-interview coding test, or a dependency that another popular tool relies on — and slip malicious MCP instructions inside it. The moment a developer opened that folder with Amazon Q active, the instructions ran silently in the background.
Because Amazon Q also inherited all of the developer's active login sessions, those invisible instructions had immediate access to the developer's AWS credentials — the master keys that govern cloud servers, databases, stored files, and internal services. Wiz researchers confirmed this by running a test command that successfully captured a live AWS session.
The failure mode here is that code review — the standard professional practice of reading through a project before trusting it — offers zero protection here. The malicious payload fires before any human eyes touch the source code.
Wiz reported the flaw to AWS, first covered by Dark Reading, and AWS shipped a fix inside Language Server version 1.65.0. No further action is needed if you are already on that version or higher.
In practice, though, patching one product does not close the underlying problem. Wiz researcher Maor Dokhanian noted that nearly identical flaws have been found in Claude Code (CVE-2025-59536), Cursor (CVE-2025-54136), and Windsurf (CVE-2026-30615). The pattern is the same across all of them: AI tools that trust project files a little too automatically, built on an architecture that was not designed with supply-chain attacks in mind.
For ordinary people, the direct risk is indirect but real. If criminals steal a developer's cloud credentials, they can access customer databases, plant backdoors, or quietly tamper with software that millions of end users download and trust.
Developers should update Amazon Q's Language Server immediately if they have not, treat any "Untrusted MCP Server" warning from any AI coding tool as a hard stop rather than a speed bump, and be suspicious of repositories that arrive through unsolicited emails, fake job interviews, or urgent pull requests from unfamiliar accounts.
One thing the post-mortem will say: the credentials were already there, inherited and trusted, waiting for the first process that asked for them.



