A high-severity flaw in Amazon's AI coding assistant for Visual Studio Code, tracked as CVE-2026-12957 and assigned a CVSS 4.0 score of 8.5, allowed an attacker to execute code on a developer's machine and potentially access their cloud environment by opening a malicious Git repository. The bug centered on how Amazon Q handled Model Context Protocol (MCP) server configurations; Wiz found the extension would automatically load a repository's .amazonq/mcp.json file and execute its commands when a developer opened the project and activated Amazon Q, without any prompt, consent, or workspace trust check. Those processes inherited the developer's environment, granting access to AWS credentials, API keys, authentication tokens, SSH agent sockets, and other secrets. Wiz built a repository with a malicious MCP configuration to prove the attack worked. Amazon fixed the bug in version 1.65.0 of its language server, which powers Amazon Q's IDE integrations, and existing installations should receive the patched component automatically unless automatic updates are blocked. Wiz argues the bug is an industry problem, noting similar workspace configuration flaws have recently surfaced in other AI coding tools.