Overview
A vulnerability in Amazon Q’s Visual Studio Code extension has been disclosed, enabling attackers to plant malicious repositories capable of executing arbitrary code and stealing cloud credentials. The flaw is notable not only for its immediate impact but for what it signals about the expanding attack surface introduced by Model Context Protocol (MCP) integrations in AI-powered developer tooling. As AI coding assistants become deeply embedded in developer workflows — with elevated access to local environments, cloud credentials, and external services — they increasingly represent high-value targets.
Technical Analysis
The vulnerability appears to exploit the trust model underpinning MCP, the protocol that allows AI assistants like Amazon Q to interact with external tools, services, and repositories in an agentic fashion. An adversary can craft or compromise a repository that, when processed by the Amazon Q extension, triggers execution of malicious code within the developer’s local environment. This code can then harvest AWS credentials — typically stored in environment variables, configuration files, or credential stores accessible to the IDE process — and exfiltrate them to attacker-controlled infrastructure.
The attack chain is broadly:
- Lure — Victim developer opens or clones a malicious repository, or is directed to interact with attacker-controlled content via the extension.
- Execute — Malicious payload is triggered through the MCP integration layer, bypassing expected sandboxing or input validation.
- Exfiltrate — Cloud credentials (e.g., AWS access keys, session tokens) are harvested and sent externally.
This follows a pattern increasingly observed in MCP-enabled tooling where the protocol’s design grants broad ambient authority to AI agents without sufficiently granular permission controls.
Framework Mapping
- AML.T0010 (ML Supply Chain Compromise): The attack weaponises the trust developers place in repositories and AI-assisted tooling integrations.
- AML.T0047 (ML-Enabled Product or Service): Amazon Q is the ML-enabled service through which the attack is conducted.
- AML.T0057 (LLM Data Leakage): Cloud credentials accessible to the extension are leaked through the exploit.
- LLM05 (Supply Chain Vulnerabilities): The extension and its MCP integrations constitute a supply chain risk.
- LLM07 (Insecure Plugin Design): The MCP layer lacks adequate input validation and permission scoping.
- LLM08 (Excessive Agency): Amazon Q’s broad access to the developer environment enables the credential theft to succeed.
Impact Assessment
Developers using Amazon Q within VS Code — particularly those with active AWS credentials configured in their environments — are most directly exposed. In cloud-native organisations, compromised AWS credentials can grant attackers lateral movement into production infrastructure, data stores, and CI/CD pipelines. The risk is amplified in enterprise settings where developer machines are federated with high-privilege IAM roles.
The broader implication is that MCP, now widely adopted across AI tooling vendors, may carry systemic design-level risks that individual patches cannot fully remediate.
Mitigation & Recommendations
- Update immediately: Apply the latest version of the Amazon Q VS Code extension and monitor AWS security advisories for patch details.
- Rotate credentials: Treat any AWS credentials accessible from affected environments as potentially compromised; rotate and audit access logs.
- Restrict MCP scope: Limit which repositories and external resources the extension is permitted to interact with.
- Apply least privilege: Ensure developer IAM roles follow least-privilege principles to limit blast radius if credentials are stolen.
- Monitor for anomalous API calls: Use AWS CloudTrail to detect unusual credential usage patterns indicative of exfiltration.