Amazon Q flaw let booby-trapped Git repos execute code, swipe cloud creds