VulnerabilitiesJun 29, 2026
Amazon Q VS Extension Flaw Leads to Cloud Credential Theft
Amazon Q VS Extension flaw allows arbitrary code execution and cloud credential theft via malicious repositories.
Summary
A vulnerability in the Amazon Q Visual Studio extension permits attackers to execute arbitrary code and steal cloud credentials by planting malicious repositories. This flaw demonstrates escalating risks associated with Model Context Protocol (MCP) integrations in development environments. The vulnerability highlights how AI-powered coding assistants can become attack vectors when insufficient input validation and sandboxing controls are in place.
Indicators of Compromise
- malware — Amazon Q VS Extension
Entities
Amazon (vendor)Amazon Q (product)Visual Studio Extension (product)Model Context Protocol (MCP) (technology)