A critical misconfiguration in AWS CodeBuild has allowed attackers to seize control of core AWS GitHub repositories, including the JavaScript SDK that underpins the AWS Console.
The issue, dubbed CodeBreach by Wiz Research, exposed a weakness in the continuous integration pipelines used by AWS-managed open-source projects. By exploiting the flaw, an unauthenticated attacker could have injected malicious code into trusted repositories, creating a pathway to compromise the AWS Console and potentially every AWS account that relies on it.
The vulnerability stemmed from how CodeBuild handled pull request triggers. A minor error in a security filter, missing just two characters, allowed untrusted pull requests to run privileged builds. From there, attackers could access GitHub credentials stored in build memory and escalate their access to full repository control.
Wiz said the most sensitive target was the AWS SDK for JavaScript, a widely used library that powers both customer applications and the AWS Console itself. The firm estimates that 66% of cloud environments include the SDK, amplifying the potential impact of a supply chain attack.
Read more on supply chain security: CISA Flags Actively Exploited Gogs Vulnerability With No Patch
How a Small Regex Error Led to Big Risk
The exposed repositories relied on an ACTOR_ID filter to restrict which GitHub users could trigger builds. However, Wiz found that the filter was implemented as an unanchored regular expression. This meant that GitHub user IDs containing an approved ID as a substring could bypass the restriction.
Because GitHub assigns numeric user IDs sequentially, Wiz researchers were able to predict when new IDs would “eclipse” trusted maintainer IDs. Using automated GitHub App creation, they captured IDs capable of bypassing the filter and triggering builds.
Wiz successfully demonstrated a takeover of the aws/aws-sdk-js-v3 repository, gaining admin-level access through stolen credentials.
The same weakness existed in at least three other AWS repositories, including one linked to a personal AWS employee account.
AWS Response and Mitigations
Wiz disclosed the findings on August 25, and AWS addressed the issue within 48 hours. The company anchored the affected regex filters, revoked exposed credentials and added protections to prevent memory-based credential theft.
AWS also introduced a new Pull Request Comment Approval build gate to block untrusted builds by default.
In a statement, the company said, “AWS determined there was no impact on the confidentiality or integrity of any customer environment,” adding that no evidence of malicious exploitation was found.
Wiz recommended CodeBuild users take several defensive steps:
-
Block untrusted pull requests from triggering privileged builds
-
Use fine-grained GitHub tokens with minimal permissions
-
Anchor webhook filter regex patterns
The research highlights a growing trend of CI/CD systems being targeted for supply chain attacks, following incidents such as Nx S1ngularity and the Amazon Q VS Code extension compromise.
Image credit: Samuel Boivin / Michael Vi / Shutterstock.com
