Amazon Q Developer Extension CVE-2026-12957 Enables Silent AWS Credential Theft from Malicious Workspaces

The flaw stemmed from the extension's language server inheriting the developer's environment and spawning processes on any opened workspace. Attackers could embed commands in .amazonq or related config files that ran immediately upon clone or PR merge, capturing AWS session tokens without user prompts or visible indicators. This matches documented patterns in North Korean developer recruitment lures and typosquatted packages.

Similar auto-execution issues have surfaced in Cursor, Claude for VS Code, and JetBrains AI Assistant, where extensions trusted workspace settings to invoke local tools. Procurement records show AWS and competitors accelerated AI coding integrations without equivalent sandboxing requirements applied to traditional CI runners. The shared root cause is environment inheritance combined with background execution, bypassing the consent model that previously limited extension privileges.

AWS released language server 1.65.0 on 12 May with fixes for both CVE-2026-12957 and the symlink handling issue CVE-2026-12958. Auto-updates were enabled for most users, yet organizations blocking outbound connections or pinning versions remain exposed. No independent technical attribution of exploitation exists yet, though the vector aligns with observed supply-chain campaigns targeting developer machines.

Next, expect targeted scans of popular open-source repositories for Q-specific config payloads and renewed focus on extension permission models across all major AI coding assistants.