A critical misconfiguration in AWS CodeBuild enabled unauthenticated attackers to seize control of key AWS-owned GitHub repositories, including the widely used AWS JavaScript SDK powering the AWS Console itself.<\/p>\n
This supply chain<\/a> vulnerability threatened platform-wide compromise, potentially injecting malicious code into applications and the Console across countless AWS environments.<\/p>\n Security firm Wiz Research has exposed that CodeBreach originated from unanchored regular expression patterns in CodeBuild webhook filters for the ACTOR_ID parameter, which should restrict builds to trusted GitHub user IDs.<\/p>\n Without ^ and $ anchors, the filter matched any user ID containing an approved substring, allowing bypass via \u201ceclipse\u201d events where new, longer GitHub IDs incorporate older maintainer IDs.<\/p>\n GitHub\u2019s sequential ID assignment, creating about 200,000 daily, made such overlaps frequent for the targeted 6-7 digit IDs in four AWS repos: aws\/aws-sdk-js-v3, aws\/aws-lc, corretto\/amazon-corretto-crypto-provider, and awslabs\/open-data-registry.<\/p>\n Attackers exploit this by mass-creating GitHub Apps via the manifest flow to race for eclipse IDs, then submitting pull requests that trigger privileged builds.<\/p>\n In a proof-of-concept against aws\/aws-sdk-js-v3 (PR #7280), hidden payload code dumped memory to extract a GitHub Personal Access Token (PAT) from the aws-sdk-js-automation account, despite prior mitigations from the 2025 Amazon Q incident.<\/p>\n The PAT granted repo and admin:repo_hook scopes, enabling collaborator invites for admin escalation and direct main branch pushes.<\/p>\n Compromising the JavaScript SDK risked infecting its weekly NPM releases, affecting 66% of scanned cloud environments and the AWS Console, which bundles recent SDK versions with user credentials, Wiz said to<\/a> CybersecurityNews.<\/p>\n The stolen PAT also controlled related private repos, amplifying supply chain risks akin to Nx S1ngularity or the Amazon Q attack (AWS-2025-015). Wiz halted escalation post-PoC, responsibly disclosing on August 25, 2025.<\/p>\nAWS Console Supply Chain Attack<\/strong><\/h2>\n
![\"AWS](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiM4pkVWtptjkvcrexoc0Hr6Vb81Xct_qskhE-Wcbiwe0z11-2vHvl2u8AjoKtjDdjsO4cL6IIKAltHy8KXS7k_2Lw75LJ6iaSIgpHSp59FEa_dCKuAW15AjfJABItPK34uCIkA0TcnnIIGMxyDxh9_TW-sZQgZrqSqgoDXCqHruAc83aWlLk8a1cTzWEBx\/s16000\/AWS%2520Console%2520Supply%2520Chain%2520Attack.webp?ssl=1\")
![\"AWS](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEh_Lh9JIk-D9If_lH-CrRJmpVm2Q8uhyphenhyphenagB73TogHO9v9ArZ5QC3zW3OYnZi_mXPnFUZXqCncMZxnj8m0OlaoDkg6BD1vVotPK21rS-i3o5XaHEKio3rG9T7trraDVQjvnphFCmZrjr6jnUHs_WC_doMl5Mtyjj7BWSh9Wt2Z_SVIxF3cRdNi3vg5TBnXTn\/w640-h288\/AWS%2520Console%2520Supply%2520Chain%2520Attack1.gif?ssl=1\")