A vital misconfiguration in AWS CodeBuild enabled unauthenticated attackers to grab management of key AWS-owned GitHub repositories, together with the extensively used AWS JavaScript SDK powering the AWS Console itself.
This provide chain vulnerability threatened platform-wide compromise, probably injecting malicious code into purposes and the Console throughout numerous AWS environments.
AWS Console Provide Chain Assault
Safety agency Wiz Analysis has uncovered that CodeBreach originated from unanchored common expression patterns in CodeBuild webhook filters for the ACTOR_ID parameter, which ought to limit builds to trusted GitHub person IDs.
With out ^ and $ anchors, the filter matched any person ID containing an accepted substring, permitting bypass by way of “eclipse” occasions the place new, longer GitHub IDs incorporate older maintainer IDs.
AWS Console Provide Chain Assault
GitHub’s sequential ID task, creating about 200,000 every day, made such overlaps frequent for the focused 6-7 digit IDs in 4 AWS repos: aws/aws-sdk-js-v3, aws/aws-lc, corretto/amazon-corretto-crypto-provider, and awslabs/open-data-registry.
Attackers exploit this by mass-creating GitHub Apps by way of the manifest stream to race for eclipse IDs, then submitting pull requests that set off privileged builds.
In a proof-of-concept towards aws/aws-sdk-js-v3 (PR #7280), hidden payload code dumped reminiscence to extract a GitHub Private Entry Token (PAT) from the aws-sdk-js-automation account, regardless of prior mitigations from the 2025 Amazon Q incident.
CodeBreach Exploit
The PAT granted repo and admin:repo_hook scopes, enabling collaborator invitations for admin escalation and direct most important department pushes.
Compromising the JavaScript SDK risked infecting its weekly NPM releases, affecting 66% of scanned cloud environments and the AWS Console, which bundles latest SDK variations with person credentials, Wiz stated to CybersecurityNews.
The stolen PAT additionally managed associated non-public repos, amplifying provide chain dangers akin to Nx S1ngularity or the Amazon Q assault (AWS-2025-015). Wiz halted escalation post-PoC, responsibly disclosing on August 25, 2025.
Affected RepositoriesMaintainer ID ExampleEclipse Frequencyaws/aws-sdk-js-v3Short 6-7 digitsEvery ~5 daysaws/aws-lcShort 6-7 digitsEvery ~5 dayscorretto/amazon-corretto-crypto-providerShort 6-7 digitsEvery ~5 daysawslabs/open-data-registryShort 6-7 digitsEvery ~5 days
AWS fastened the regex flaw inside 48 hours, revoked tokens, hardened reminiscence protections, audited public builds, and confirmed no exploitation by way of logs.
No buyer information was impacted. New options like Pull Request Remark Approval and CodeBuild-hosted runners now block untrusted builds.
Customers ought to anchor webhook regexes, use fine-grained PATs with minimal scopes, allow PR approval gates, and scan for weak setups by way of Wiz queries.
AWS urged disabling auto-PR builds from untrusted sources. The assault stream diagram highlights the trail from malicious PR to Console threat.
This underscores CI/CD as prime targets: complicated, privilege-rich, and untrusted-input uncovered. Public disclosure adopted on January 15, 2026.
Observe us on Google Information, LinkedIn, and X for every day cybersecurity updates. Contact us to function your tales.
