[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"branding":3,"analytics":7,"article-amazon-q-developer-flaw-let-cloned-repos-steal-aws-credentials":10,"sections":40},{"siteName":4,"siteTagline":5,"publisherName":4,"contactEmail":6},"The Revision","Tech news, decoded.","editor@therevision.news",{"gaMeasurementId":8,"adsenseClientId":9},"G-ZW2MV82GYR","ca-pub-8533917693782264",{"article":11},{"id":12,"slug":13,"title":14,"dek":15,"body_md":16,"tags_json":17,"published_at":18,"created_at":19,"updated_at":20,"status":21,"review_note":22,"review_notes":23,"image_url":22,"persona_id":22,"persona_name":22,"section":30,"tags":31,"sources":35,"feedback":39,"feedback_at":22,"cost_usd":39,"total_tokens":39},2294,"amazon-q-developer-flaw-let-cloned-repos-steal-aws-credentials","Amazon Q Developer flaw let cloned repos steal AWS credentials","A patched high-severity bug in Amazon Q Developer allowed a malicious repository's config file to silently run commands and exfiltrate AWS credentials.","A single config file in a cloned repository was enough to compromise a developer's AWS account through Amazon Q Developer.\n\nWiz Research discovered the vulnerability, now tracked as CVE-2026-12957, and reported it to Amazon on April 20. Amazon patched the issue on May 12, nearly three weeks later, and the public disclosure landed today. The flaw was rated high severity: a malicious repository could silently execute commands on a developer's machine and walk away with their AWS credentials — no additional interaction required beyond cloning the repo.\n\nThe stakes here are unusually high because AWS credentials are keys to the kingdom. A stolen access key can spin up infrastructure, exfiltrate data, or rack up charges before anyone notices. The attack surface — a developer cloning what looks like a legitimate repository — is routine enough that it is easy to miss.\n\nAI coding assistants that integrate tightly with cloud infrastructure are an attractive target precisely because developers trust them to run things on their behalf. Amazon Q Developer is not alone in that exposure; any tool that reads project configuration files and acts on them faces a similar category of risk. The fix is in, but the broader pattern of config-file-as-attack-surface is not going away.","[\"security\",\"aws\",\"developer-tools\",\"vulnerability\"]","2026-06-26T16:49:29.000Z","2026-06-26T17:42:38.436Z","2026-06-27T15:37:44.378Z","published",null,[24],{"id":25,"reviewer":26,"round":27,"reason":28,"status":29},"editor-r1","editor",1,"The article references an 'MCP-layer attack vector' as the technical mechanism, but neither the source material nor the article body explains or supports this claim — remove or source it, as it is an unsupported substantive technical assertion.","resolved","security",[30,32,33,34],"aws","developer-tools","vulnerability",[36],{"name":37,"url":38},"The Next Web","https:\u002F\u002Fthenextweb.com\u002Fnews\u002Famazon-q-developer-mcp-flaw-aws-credentials-stolen",0,{"sections":41},[42,47,51,56,61,66,71,76,81,86,91,95,100,105],{"name":43,"slug":44,"count":45,"latest_published_at":46},"AI","ai",2590,"2026-07-16T04:00:00.000Z",{"name":48,"slug":30,"count":49,"latest_published_at":50},"Security",294,"2026-07-15T19:59:48.000Z",{"name":52,"slug":53,"count":54,"latest_published_at":55},"Deals","deals",179,"2026-06-29T20:02:07.000Z",{"name":57,"slug":58,"count":59,"latest_published_at":60},"Policy","policy",158,"2026-07-16T00:02:48.000Z",{"name":62,"slug":63,"count":64,"latest_published_at":65},"Hardware","hardware",122,"2026-07-14T19:46:26.000Z",{"name":67,"slug":68,"count":69,"latest_published_at":70},"Consumer Tech","consumer-tech",93,"2026-07-13T13:20:48.000Z",{"name":72,"slug":73,"count":74,"latest_published_at":75},"Software","software",70,"2026-07-13T19:52:25.000Z",{"name":77,"slug":78,"count":79,"latest_published_at":80},"Science","science",66,"2026-07-10T10:29:37.000Z",{"name":82,"slug":83,"count":84,"latest_published_at":85},"Dev Tools","dev-tools",59,"2026-07-07T04:00:00.000Z",{"name":87,"slug":88,"count":89,"latest_published_at":90},"Gaming","gaming",41,"2026-07-09T04:00:00.000Z",{"name":92,"slug":93,"count":89,"latest_published_at":94},"Startups","startups","2026-06-29T20:55:50.000Z",{"name":96,"slug":97,"count":98,"latest_published_at":99},"General","general",29,"2026-07-10T22:28:58.000Z",{"name":101,"slug":102,"count":103,"latest_published_at":104},"Reviews","reviews",20,"2026-06-24T12:00:01.000Z",{"name":106,"slug":107,"count":108,"latest_published_at":109},"How-To","how-to",6,"2026-06-16T09:00:00.000Z"]