The Intake — Sunday, June 28, 2026

If you've been treating your MCP server configs as something you set up once and then trust, this advisory names the gap in that assumption. Amazon Q Developer is Amazon's AI coding assistant for VS Code, JetBrains, Eclipse, and Visual Studio. It automatically loaded MCP server configuration files from any opened workspace and launched the servers they defined. It did this without asking.

The specific consequence: opening a repository that contained a malicious .amazonq/mcp.json file caused Amazon Q to spawn local processes inheriting your full environment. That includes AWS credentials, cloud CLI tokens, API secrets, and SSH agent sockets. No additional interaction beyond activating the extension was required. Wiz Research researcher Maor Dokhanian found and reported the flaw, tracked as CVE-2026-12957 with a CVSS score of 8.5.

Amazon shipped a patch on June 26 in Language Servers for AWS version 1.65.0. They recommend moving to 1.69.0, which also closes a co-disclosed symlink path issue. The patched build flags untrusted MCP servers and requires you to approve them before they run. The language server auto-updates unless your network configuration blocks it.

The exposure this names is broader than Amazon Q. Any tool that auto-loads MCP server configs — from a workspace, a cloned repo, a shared project folder — without asking whether to trust them is in this shape. If you're using other AI coding tools that load MCP configs from sources you didn't personally write and vet, it's worth understanding whether they have an equivalent consent step.

---

If you review open-source dependencies before installing them but haven't extended that practice to repos you open in your IDE, this campaign describes why those two surfaces are now the same surface.

Socket Research documented the expansion of a supply chain campaign — tracked variously as Mini Shai-Hulud, Miasma, and Hades — that has operated primarily through npm packages. On June 24–25, 2026, it moved into two new vectors simultaneously. Twenty-three LeoPlatform and RStreams npm packages were poisoned through a compromised maintainer account, via a token exposed in a six-second window. A Go module — the Verana Blockchain project at version v0.10.1-dev.20 — was also compromised. A third attacker force-pushed to the codfish/semantic-release-action GitHub Action, redirecting version tags to malicious commits. Any downstream workflow pinned to those tags then ran attacker-controlled code inside GitHub Actions runners.

The npm payloads use a binding.gyp install-time execution trigger — the hook doesn't appear in package.json, so standard review of lifecycle scripts misses it. They stage a Bun-runtime-based payload. It harvests npm tokens, GitHub tokens, cloud credentials across AWS, Azure, and GCP, SSH keys, and IDE and AI coding assistant configuration files. The GitHub Actions compromise targets OIDC tokens and Personal Access Tokens from runner environments.

The Go module compromise introduces the vector that matters most for anyone building with agents locally. Instead of triggering at package install, it uses a VS Code folder-open task — a payload that executes when you open the repository in your IDE. No install command, no lifecycle hook, no explicit action beyond opening a project folder. That is the campaign's first confirmed move beyond package-manager install hooks into source-repository execution. If you open Go modules or unfamiliar repositories directly in VS Code or another AI coding environment, the entry point is now the act of opening, not installing.

---