RESEARCHERS at Wiz identified a high-severity vulnerability in the Amazon Q Developer extension for Visual Studio Code that could enable attackers to steal cloud credentials by exploiting malicious code repositories. This vulnerability allows unauthorized commands to run automatically when opening a compromised repository, risking cloud sessions and credentials. AWS released a patch for this issue (CVE-2026-12957) on May 12 after being notified on April 20.
The fix is available for various IDEs including VS Code and JetBrains. Wiz noted that similar vulnerabilities exist in other AI coding tools, highlighting a widespread security concern.