Amazon Q MCP Auto-Load Lets Repos Steal Cloud Keys
A flaw in the Amazon Q VS Code extension auto-loaded Model Context Protocol (MCP) servers from workspace files and executed them without prompts. Opening a booby-trapped repo was enough to run attacker code that inherited the user’s environment, enabling cloud credential theft. Amazon fixed it in language server version 1.65.0.
Here is a clean, weaponisable path from a Git clone to a cloud breach. The Amazon Q Developer extension for Visual Studio Code trusted workspace-provided Model Context Protocol (MCP) configurations. If a repo contained a .amazonq/mcp.json at the root, the extension loaded it and started the declared MCP server as soon as the folder opened. No prompt. No workspace-trust check. That is a broken boundary between untrusted code and the developer’s machine.
How the exploit lands
It is simple: lure a developer into opening a repository that ships a crafted MCP config. The extension spins up the configured process immediately. That child process inherits the full environment: AWS credentials, short-lived tokens, API keys, SSH agent sockets, the lot. The proof of concept used a minimal repo to spawn a shell, call the AWS Security Token Service to identify the caller, and exfiltrate the result over HTTP. That confirmed the process had live cloud access under the victim’s identity.
This is not just about listing identity. With arbitrary process execution and valid cloud creds, an attacker can pivot. Think creating new access keys, planting backdoors in buckets or repos, touching internal services reachable over VPN, or quietly poisoning a supply chain via a pull request from a developer machine that now looks perfectly legitimate.
Why this matters
MCP is meant to let Large Language Model tooling talk to local or remote tools. In plain terms, it lets an agent spawn helpers. Auto-loading those helpers from the workspace puts remote-controlled code on the wrong side of the trust line. The researchers showed exploitation required almost no user interaction: install Amazon Q, open a folder, game over. This affected versions of the AWS language server prior to 1.65.0 and was remediated in 1.65.0. The vendor says most users update automatically.
The sharper edge is that this pattern is not unique. Several AI coding assistants lean on auto-execution and permissive config loading to feel seamless. That creates a systemic class of risk: repo content controls local processes that inherit sensitive context. If you are modelling agent threats, treat workspace files as attacker input and assume anything they can auto-start will run with real secrets attached.