Wiz Research found CVE-2026-12957, Amazon patched May 12, and today’s disclosure shows how fast supply-chain access becomes account takeovers.

A Wiz-discovered Amazon Q flaw (CVE-2026-12957) let malicious Git repos run code and steal cloud credentials via MCP configs.