{"slug": "ai-coding-assistants-turn-local-git-repos-into-cloud-exploits", "title": "AI Coding Assistants Turn Local Git Repos Into Cloud Exploits", "summary": "A high-severity vulnerability in Amazon Q Developer, tracked as CVE-2026-12957 with a CVSS score of 8.5, allowed malicious Git repositories to execute arbitrary commands and exfiltrate AWS credentials when a developer opened the repository in an IDE. Discovered by Wiz Research, the flaw exploited automatic loading of Model Context Protocol configurations without user consent, highlighting a systemic security issue in AI coding assistants.", "body_md": "[Security](https://www.devclubhouse.com/c/security)Article\n\n# AI Coding Assistants Turn Local Git Repos Into Cloud Exploits\n\nA high-severity Amazon Q flaw highlights how Model Context Protocol configurations let malicious repositories run code and steal credentials.\n\n[Emeka Okafor](https://www.devclubhouse.com/u/emeka_okafor)\n\nThe modern developer workflow is built on a fragile assumption of safety. We clone a repository, open it in our favorite editor, and assume that until we run `npm install`\n\nor execute a build script, we are safe from local code execution.\n\nThat assumption is officially dead. The rise of agentic AI coding assistants has introduced a new attack vector where simply opening a folder in an IDE can compromise your entire cloud infrastructure.\n\nA high-severity vulnerability in [Amazon Q Developer](https://aws.amazon.com/q/developer/), tracked as CVE-2026-12957 with a CVSS score of 8.5, allowed booby-trapped Git repositories to execute arbitrary commands on a developer's machine and exfiltrate active AWS credentials. Discovered by Wiz Research, the flaw stems from how the extension handled Model Context Protocol (MCP) server configurations.\n\nThis is not an isolated bug in a single extension. It is a structural design flaw in how the industry is integrating AI agents with local development environments.\n\n## The Anatomy of the MCP Attack Chain\n\nTo understand how this vulnerability works, you have to look at the [Model Context Protocol](https://modelcontextprotocol.io) (MCP). Developed to give LLMs a standardized way to interact with local tools, databases, and APIs, MCP allows an AI assistant to spawn local processes to perform tasks on your behalf.\n\nIn a secure implementation, spawning a local process requires explicit user consent. The security model assumes that the developer is making an informed decision to trust a specific tool.\n\nAmazon Q broke this assumption. When a developer opened a workspace and activated the extension, Amazon Q automatically loaded the `.amazonq/mcp.json`\n\nconfiguration file from the repository. It did this without prompting the user, without verifying workspace trust, and without any consent checks.\n\nBecause MCP servers run as local processes, they inherit the environment of the parent IDE process. For a cloud developer, that environment is a goldmine. It typically contains:\n\n- Active AWS session credentials (\n`AWS_ACCESS_KEY_ID`\n\n,`AWS_SECRET_ACCESS_KEY`\n\n,`AWS_SESSION_TOKEN`\n\n) - Cloud CLI authentication tokens\n- Local API keys and environment variables\n- Active SSH agent sockets\n\nTo prove the concept, researchers built a repository containing a malicious `.amazonq/mcp.json`\n\nfile. The moment the folder was opened and Amazon Q was activated, the extension executed a command to run `aws sts get-caller-identity`\n\nand silently exfiltrated the active AWS session credentials to an attacker-controlled server. No clicks, no warnings, and no manual execution required.\n\nAlongside this, a companion vulnerability (CVE-2026-12958) was disclosed. This second flaw involved a missing symlink validation check, which allowed path traversal. An attacker could use a malicious repository to write arbitrary files outside the workspace boundary, potentially overwriting shell profiles or SSH configurations to establish persistence.\n\n## A Systemic Industry Blind Spot\n\nWhile Amazon has patched these specific flaws, the underlying issue is systemic. The developer tool space is rushing to adopt MCP to make coding assistants more capable, but security is lagging behind convenience.\n\nSimilar workspace configuration vulnerabilities have recently cropped up across the industry:\n\n**Claude Code** tripped over CVE-2025-5953 and CVE-2026-21852, where project-level configurations led to unauthorized command execution.**Cursor** was hit by CVE-2025-54136, exposing a similar path from project configuration to local execution.**Windsurf** suffered from CVE-2026-30615, where malicious repository content could rewrite local MCP configurations to register rogue servers.\n\nThis is a classic supply chain risk wrapped in a new package. Historically, attackers targeted package managers like npm or PyPI to slip malicious code into dependencies. Now, they can target the metadata of the repository itself. A malicious pull request to a popular open-source project, a typosquatted package, or a fake coding test sent during a targeted phishing campaign can all serve as delivery mechanisms for a toxic MCP configuration.\n\n## The Developer Playbook: Mitigations and Workflows\n\nIf you use Amazon Q Developer, you need to verify your plugin versions immediately. The vulnerability lies in the Language Servers for AWS, the underlying runtime powering the extension across multiple IDEs.\n\nAmazon patched the initial execution bug in version 1.65.0, but their official security bulletin recommends updating to at least version 1.69.0 to address both the execution flaw and the symlink path traversal bug.\n\nEnsure your IDE plugins meet or exceed these minimum versions:\n\nVersion 2.20 or later[Visual Studio Code](https://code.visualstudio.com):**JetBrains:** Version 4.3 or later**Eclipse:** Version 2.7.4 or later**Visual Studio Toolkit:** Version 1.94.0.0 or later\n\nMost modern IDEs will auto-update these extensions on restart, but you should manually audit your installed versions to be certain.\n\n### Auditing Cloned Repositories\n\nBecause AI assistants are now looking for hidden configuration files, you can no longer trust that a repository is safe to open just because you have not run its code. Before opening any untrusted or newly cloned repository in an IDE with active AI extensions, run a quick terminal scan for hidden configuration directories:\n\n```\nfind . -type f \\( -name \"mcp.json\" -o -path \"*/.amazonq/*\" -o -path \"*/.cursor/*\" -o -path \"*/.claudecode/*\" \\)\n```\n\nIf this command returns any results in a repository you do not fully control, do not open it in your primary IDE session. Inspect the JSON files manually in a plain text editor to ensure they do not contain arbitrary execution commands.\n\n## The Trade-off of Agentic Convenience\n\nThe patch deployed by Amazon introduces an \"Untrusted MCP Server\" prompt. If Amazon Q detects an MCP configuration in a workspace, it will now halt and require the developer to explicitly approve the server before running it.\n\nThis is the correct fix, but it highlights the friction that security introduces to agentic workflows. The promise of AI agents is that they operate autonomously in the background, solving complex tasks while you focus on architecture. If every tool registration, database connection, and local script execution requires a manual confirmation dialog, the agent starts to feel less like an autonomous assistant and more like an annoying linter.\n\nYet, the alternative is unacceptable. Giving an AI assistant the keys to your local machine means giving those same keys to anyone who can influence the assistant's context. Until the industry develops secure, sandboxed runtimes for IDE extensions, developers must treat AI configuration files with the same level of suspicion they reserve for raw shell scripts.\n\n## Sources & further reading\n\n-\n[Amazon Q flaw let booby-trapped Git repos execute code, swipe cloud creds](https://www.theregister.com/cyber-crime/2026/06/26/amazon-q-flaw-let-booby-trapped-git-repos-execute-code-swipe-cloud-creds/5263202)— theregister.com -\n[Amazon Q Developer Flaw Could Let Malicious Repos Run Code via MCP Configs](https://thehackernews.com/2026/06/amazon-q-developer-flaw-could-let.html)— thehackernews.com -\n[Amazon Q Vulnerability Let Attackers Execute Code and Access Sensitive Cloud Environments](https://cybersecuritynews.com/amazon-q-vulnerability/)— cybersecuritynews.com -\n[The Brutalist Report](https://brutalist.report/)— brutalist.report -\n[Amazon Q extension for VS Code reportedly injected with ‘wiper’ prompt | news | SC Media](https://www.scworld.com/news/amazon-q-extension-for-vs-code-reportedly-injected-with-wiper-prompt)— scworld.com\n\n[Emeka Okafor](https://www.devclubhouse.com/u/emeka_okafor)· Security Editor\n\nEmeka has spent over a decade tracking threat actors, vulnerability disclosures, and the evolving landscape of application security, bringing a sharp continent-spanning perspective to his reporting. He's known for translating dense CVE advisories into clear, actionable context that developers and security teams alike actually read.\n\n## Discussion 0\n\nNo comments yet\n\nBe the first to weigh in.", "url": "https://wpnews.pro/news/ai-coding-assistants-turn-local-git-repos-into-cloud-exploits", "canonical_source": "https://www.devclubhouse.com/a/ai-coding-assistants-turn-local-git-repos-into-cloud-exploits", "published_at": "2026-06-26 17:03:07+00:00", "updated_at": "2026-06-26 17:07:35.499822+00:00", "lang": "en", "topics": ["ai-safety", "ai-tools", "ai-agents", "developer-tools"], "entities": ["Amazon Q Developer", "Wiz Research", "Model Context Protocol", "AWS", "Claude Code", "Cursor", "Windsurf"], "alternates": {"html": "https://wpnews.pro/news/ai-coding-assistants-turn-local-git-repos-into-cloud-exploits", "markdown": "https://wpnews.pro/news/ai-coding-assistants-turn-local-git-repos-into-cloud-exploits.md", "text": "https://wpnews.pro/news/ai-coding-assistants-turn-local-git-repos-into-cloud-exploits.txt", "jsonld": "https://wpnews.pro/news/ai-coding-assistants-turn-local-git-repos-into-cloud-exploits.jsonld"}}