CVE Tools
Back to feed
SecurityWeek ·EN-US News source

Amazon Q Flaw Enabled Cloud Credential Theft via Malicious Repositories

By Eduard Kovacs··2 min read
CVE Tools coverage

Wiz reported a high-severity issue in the Amazon Q Developer extension for Visual Studio Code where opening a booby-trapped repository could trigger automatic actions on workspace configuration files without user consent. This could allow attackers to run attacker-controlled commands and inherit the developer’s environment, potentially capturing AWS or other cloud credentials and API keys—tracked as CVE-2026-12957, with a related symbolic link issue CVE-2026-12958. AWS issued patches (including fixes in the Amazon Q Developer language server, noted as version 1.65.0) and says updates are available for affected plugins covering VS Code, JetBrains, Eclipse, and Visual Studio.