A single config file in a cloned repository could steal your AWS credentials through Amazon Q Developer

A high-severity flaw in Amazon Q Developer allowed a malicious code repository to silently execute commands on a developer’s machine and steal their AWS credentials. Wiz Research discovered the vulnerability, tracked as CVE-2026-12957, and reported it to Amazon on April 20. Amazon patched the issue on May 12, and the disclosure went public today. The […] This story continues at The Next Web