TL;DR: On June 25-26, 2026, AWS and multiple researchers disclosed CVE-2026-12957 (CVSS 8.5) and CVE-2026-12958 - two flaws in the Amazon Q Developer IDE assistant that let a cloned malicious repository run arbitrary code on a developer's machine the moment the workspace is opened, per The Hacker News. The attack abuses a .amazonq/mcp.json Model Context Protocol (MCP) configuration file that Amazon Q auto-loaded and auto-executed; the launched processes inherit the developer's full environment - AWS access keys, cloud CLI tokens, API secrets, and the SSH agent socket, per The Register. For NC small businesses that have rolled out AI coding assistants in the last 18 months, this is the first public reminder that a "harmless git clone" is now a credential-theft vector.
Key takeaway: AI coding assistants are local code execution surfaces. If your developer machines hold the keys to AWS, Azure, or GCP, then your AI coding tool is now a credential vault that a malicious repository can open by being cloned.
Need help governing AI dev tools and rotating cloud credentials? Preferred Data Corporation has run managed IT, managed cybersecurity, and custom software development for NC small businesses since 1987. Call (336) 886-3282 or request an AI dev tool security review.
What is CVE-2026-12957 and how does the Amazon Q attack work?
CVE-2026-12957 (CVSS 8.5) is an improper trust boundary enforcement vulnerability in Amazon Q Developer that auto-executes MCP server configurations found inside any open workspace - without consent or prompt, per Cybersecurity News. A companion flaw, CVE-2026-12958, is a missing symlink validation that allows path traversal outside the workspace boundary. Both ship as part of the AWS Language Servers; the fix landed in version 1.65.0, and AWS told customers to move to 1.69.0, per The Hacker News.
| Attribute | CVE-2026-12957 + CVE-2026-12958 detail |
|---|---|
| CVSS score | 8.5 (high) on CVE-2026-12957 |
| Authentication required | None (developer just opens the repo) |
| User interaction required | Cloning + opening the workspace |
| Exploit vector | Local code execution via auto-loaded MCP config |
| Active exploitation | Public PoC; no widespread campaigns yet reported |
| Disclosure date | June 25-26, 2026 |
| Trigger file | .amazonq/mcp.json inside the cloned repo |
| Symlink follow-up | CVE-2026-12958 - missing symlink validation |
| Fix | AWS Language Servers 1.65.0; AWS recommends 1.69.0 |
| Inheritance | Spawned MCP server processes inherit AWS keys, cloud CLI tokens, API secrets, SSH agent socket |
The Model Context Protocol is the standard glue that lets AI assistants reach databases, file systems, APIs, and build tools as local processes. The design assumption is that the developer chose to launch those servers. The vulnerability collapses that assumption: a .amazonq/mcp.json shipped inside a cloned third-party repository was treated as a trusted user choice, and Amazon Q started the listed MCP servers automatically.
Quotable definition: Model Context Protocol (MCP) is an open standard that lets AI coding assistants spawn local helper processes to read databases, hit APIs, and run build tools. An MCP server is a small subprocess on the developer's machine. Auto-launching one means executing code with the developer's full environment - AWS keys, GitHub tokens, SSH sockets, and cloud CLI sessions included.
Three facts an NC small business should write down:
- The attack vector is
git clone. A developer who clones a third-party repo to evaluate a library, audit a vendor, or follow a tutorial is the trigger. No malicious link, no email lure, no zero-day - just the routine workflow of opening a new repository in an IDE. - The exploded blast radius is the developer's cloud session. Per Cybersecurity News, the spawned MCP processes inherit AWS access keys, cloud CLI tokens, API secrets, and even the SSH agent socket. A developer with admin or PowerUser AWS rights becomes a full cloud takeover.
- This is not a one-vendor problem. Per The Hacker News, Check Point Research found a similar pattern in Claude Code (CVE-2025-59536, CVE-2026-21852), and OX Security found one in Windsurf (CVE-2026-30615). The vulnerability class is the AI coding assistant ecosystem, not Amazon Q alone.
Why does this matter for North Carolina small businesses specifically?
Because the past 18 months have moved AI coding assistants from "experimental" to "default" in NC small-business engineering teams. Honda Aircraft suppliers prototyping with internal tools, Charlotte fintech startups, Greensboro insurance carriers, Piedmont Triad MSPs writing PowerShell with Copilot, custom-software shops building Next.js / Supabase apps - all are running one or more AI coding assistants today. The NC SMB victim profile maps cleanly:
- A High Point custom-software shop running Amazon Q in VS Code with developer laptops that hold root AWS credentials for a production tenant. One clone of a malicious "boilerplate" repository = full AWS takeover.
- A Charlotte fintech startup with a 6-person engineering team using Amazon Q to ship a Stripe-integrated SaaS. AWS keys with Stripe webhook routes, SQS queues, and S3 buckets are all in scope.
- A Greensboro insurance carrier IT team running Amazon Q alongside CodeWhisperer-style assistants on shared developer images. Cross-developer credential leakage is a one-clone away from happening.
- A Piedmont Triad MSP using Amazon Q to write customer-deliverable infrastructure-as-code. A leaked MSP-tier AWS key = lateral access to dozens of NC SMB customer tenants.
Per The Register, the attacker does not need to plant a sophisticated payload - the MCP spec lets the config name any executable, with any arguments, with any environment variables. Once the process is alive on the developer's box, a 30-line script can read ~/.aws/credentials, dump env, and POST the lot to an attacker endpoint. The clone-to-credential-theft window is measured in seconds.
Key takeaway: The AI coding assistant rollout that gave your developers 30% productivity gains also gave them 30% more attack surface. Treat the developer laptop as a privileged endpoint, not a workstation.
How should an NC small business respond in 14 days?
Run a seven-step sequence inside two weeks. The sequence is designed for an NC SMB with a 1-3 person IT team, not a Fortune 100 SOC.
- Inventory every AI coding assistant deployed (Day 0-1). Amazon Q, Claude Code, Cursor, Windsurf, GitHub Copilot, CodeWhisperer, Tabnine, JetBrains AI - all of them, including the ones a developer self-installed without IT knowing. This is your shadow AI inventory.
- Upgrade Amazon Q to AWS Language Servers 1.69.0 (Day 1-3). Per The Hacker News, the language server auto-updates unless the corporate network blocks it. Verify the install on every developer endpoint.
- Audit
.amazonq/mcp.jsoninside every cloned repo on every developer laptop (Day 2-4). A simple PowerShell or bash one-liner walks the dev workspace tree and lists every.amazonq/mcp.jsonfile. Any file not authored in-house is suspect. - Rotate every developer's cloud credentials (Day 3-7). AWS access keys, GCP service-account keys, Azure CLI sessions, GitHub personal access tokens, npm publish tokens, Stripe / Twilio / SendGrid API keys, internal API tokens. If a developer cloned anything in the last 60 days, assume the credentials touched the attack surface.
- Set IDE policy: disable MCP auto-load and require explicit consent per workspace (Day 5-7). Document the change in your AI tool usage policy. Subscribe the team to the AWS Trust Center advisory feed and the vendor advisories of every other AI assistant deployed.
- Enforce least-privilege IAM on every developer (Day 7-10). A developer's AWS user should not have AdministratorAccess. PowerUserAccess is not far behind. Use Permission Sets in IAM Identity Center, scope to a single account, and add MFA-bound STS for the production accounts.
- Run EDR with behavioral detections on developer endpoints (Day 7-14). A spawned MCP server that suddenly reads
~/.aws/credentialsand exfiltrates over HTTPS is the EDR-friendly signal. CrowdStrike, SentinelOne, and Defender for Endpoint all match this telemetry pattern out of the box.
| Control | Day-14 target | Why it matters |
|---|---|---|
| AI coding assistant inventory | 100% of dev endpoints | Closes the shadow-AI gap that hides the exposure |
| Amazon Q updated to 1.69.0 | All dev endpoints | Patches the auto-execute trust-boundary flaw |
.amazonq/mcp.json audit on cloned repos | All workspaces | Detects pre-existing planted configs |
| Cloud credentials rotated for all developers | 100% of dev cloud identities | Assumes-breach posture for the 60-day window |
| IAM least-privilege on developer identities | All cloud accounts | Limits blast radius of any future leak |
| EDR with credential-theft detections | All dev endpoints | Catches the "process reads creds, calls out" pattern |
Key takeaway: The patch is the easy 4 hours. The credential rotation, the IAM rebaseline, and the EDR coverage are the work that turns a one-line CVE into a permanent governance improvement.
How does Preferred Data Corporation help NC small businesses defend against AI-coding-tool credential theft?
PDC has run managed IT, managed cybersecurity, AI transformation, and custom software development for NC small businesses since 1987. For the June 2026 Amazon Q event, PDC brings three things to the table:
- AI dev-tool inventory and governance: A documented policy that names which assistants are approved, which auto-features are disabled, and which workspaces are off-limits for cloning untrusted code. Tied to a quarterly review cycle as the AI tool market keeps changing.
- Cloud credential rotation + least-privilege rebuild: AWS Identity Center / Azure AD / GCP Workspace baseline with permission-set-based least privilege, MFA-bound STS for production, and rotation of every long-lived access key touched by a developer.
- Developer endpoint EDR with credential-theft telemetry: CrowdStrike, SentinelOne, or Defender for Endpoint configured to alert on the "process spawned by IDE reads
~/.aws/credentialsand connects to an unknown host" pattern, plus an incident-response runbook for the first hit.
For NC custom-software shops, Piedmont Triad MSPs, Charlotte fintech startups, and Greensboro insurance/manufacturer IT teams running AI coding assistants today - this is the 14-day cycle that protects both the developer productivity gain and the cloud-account security posture.
Need help with AI coding assistant governance and a 14-day credential rotation? Call (336) 886-3282 or book an AI dev tool security review.
Frequently Asked Questions
What is CVE-2026-12957?
CVE-2026-12957 is a CVSS 8.5 improper trust boundary enforcement vulnerability in Amazon Q Developer that lets a cloned repository auto-execute arbitrary code on a developer's machine via a .amazonq/mcp.json Model Context Protocol configuration file. Per Cybersecurity News, the spawned MCP server processes inherit the developer's environment - AWS keys, cloud CLI tokens, API secrets, and SSH agent socket - and can be used to exfiltrate cloud credentials.
How do I fix Amazon Q Developer in my NC small business?
Upgrade the AWS Language Servers to version 1.69.0 (the fix landed at 1.65.0; AWS recommends 1.69.0). Per The Hacker News, the language server auto-updates unless the corporate network blocks the update channel. Verify on every developer endpoint via the IDE's About / version pane.
Are other AI coding assistants vulnerable to the same pattern?
Yes. Per The Hacker News, Check Point Research identified CVE-2025-59536 and CVE-2026-21852 in Claude Code, and OX Security identified CVE-2026-30615 in Windsurf - all rooted in the same auto-execution risk. NC SMBs running multiple AI coding assistants should audit each vendor's MCP and plugin auto-load behavior.
What is the worst-case scenario for an NC small business?
A developer with admin-tier AWS credentials clones a malicious repository. Amazon Q auto-loads the .amazonq/mcp.json and spawns an attacker-controlled MCP server. The MCP server reads ~/.aws/credentials, the SSH agent socket, and the developer's GitHub token. Within minutes, the attacker has full AWS account access, lateral access to GitHub, and the ability to push backdoored commits into the company's repositories. Recovery costs and customer notifications follow.
Does CMMC require notification if our defense-contract dev box leaked CUI-adjacent keys?
If the developer machine was inside the CMMC Level 2 boundary and held credentials to systems with CUI - yes, DFARS 252.204-7012 requires DoD CIO notification within 72 hours of discovery. Per the CMMC Phase 2 November 2026 deadline, NC defense subcontractors should treat developer endpoint compromise as a discovery event.
What is the safest IAM baseline for a developer using AI coding assistants?
Permission Sets in AWS IAM Identity Center, scoped to a single non-production account by default. Production access through MFA-bound STS assume-role for the duration of the task. No long-lived access keys on the developer laptop. Tokens for GitHub, npm, and CI use short-lived OIDC trust where possible. This baseline limits the blast radius of any AI-tool credential leak to a single, recoverable cloud account.
How does PDC test for this exposure?
PDC runs a 90-minute developer endpoint audit that inventories the AI coding tools installed, lists the cloud credential files on disk, evaluates the IDE's auto-load policy, and tests a benign MCP config in a sandbox to confirm whether auto-execution is enabled. The output is a written report with a 14-day remediation plan and an IAM baseline diagram.
Related Resources
- AI Transformation Services - Approved AI dev tooling for NC SMBs
- Managed Cybersecurity for NC Businesses - EDR + IAM baseline for developer endpoints
- Custom Software Development - Secure SDLC for NC SMBs
- Shadow AI Policy for NC Small Businesses
- Verizon DBIR 2026: 48% Third-Party Breaches
- Kaspersky 33K Fake AI Tools Hit SMBs
- Contact Preferred Data Corporation - AI dev tool security review for NC SMBs