Amazon Q Credential Exfiltration via Repository Poisoning: AI Assistant Supply Chain Risk
Amazon Q contained a flaw allowing attackers to steal AWS credentials by poisoning code repositories that the AI assistant indexes and processes. The vulnerability has been patched, but highlights risks in AI-assisted development workflows where models ingest untrusted code.
Affected
Amazon Q, AWS's generative AI-powered coding assistant, contained a flaw that permitted attackers to extract cloud credentials by crafting malicious code repositories. When developers indexed these poisoned repositories through Amazon Q, the assistant would process the repository contents and inadvertently expose credentials to the attacker's infrastructure. This represents a fundamental risk in AI-assisted development: these tools operate across trust boundaries and often lack robust secret detection or sandboxing mechanisms.
The attack surface stems from Amazon Q's design assumption that indexed code repositories are reasonably trustworthy. An attacker could craft a repository containing exfiltration payloads disguised as legitimate code patterns, configuration templates, or documentation. When the AI assistant processes this repository to provide contextual completions or answers, the credentials embedded in the developer's environment or loaded through the tool become accessible to the attacker. The flaw bypasses traditional secret scanning because the vulnerability exists in how the assistant processes and responds to queries, not in stored secrets themselves.
This vulnerability affects any developer using Amazon Q with access to external or third-party repositories, particularly in organisations with federated development workflows or open-source dependencies. Developers working on projects that integrate AWS credentials (whether through environment variables, configuration files, or IAM roles) faced credential exposure risk. The impact spans from individual developer accounts to organisational AWS environments if the developer possessed broad permissions.
Defenders should treat AI coding assistants as tools that require the same secret hygiene as web browsers or terminals. Repository access controls should be enforced, and developers should avoid exposing credentials in indexable contexts. AWS customers should verify they have applied patches and consider implementing environment isolation, credential rotation policies, and detection rules for unusual credential usage. Organisations should also audit which repositories their developers grant Amazon Q access to, particularly public or community-contributed code.
This incident illustrates a broader pattern: AI assistants amplify the impact of trust violations because they operate at scale and across multiple contexts simultaneously. A single poisoned repository can affect dozens of developers at once. As AI-assisted development becomes standard, security models must evolve to account for assistants as active agents in the development environment, not passive tools. Vendors should implement mandatory secret scanning for all indexed content, sandboxing for code execution, and clear indicators when assistant responses reference external or potentially untrusted sources.
Sources