A high-severity flaw in Amazon Q Developer let a malicious repository run commands and steal a developer's cloud credentials. The path was short: a developer opens the repo, trusts the workspace, and Amazon Q does the rest. Amazon has patched it.
Amazon Q Developer Flaw Could Let Malicious Repos Run Code via MCP Configs
Summary + source link. No paywalls, no tracking.