"A critical misconfiguration in Amazon Web Services (AWS) CodeBuild could have allowed complete takeover of the cloud service provider's own GitHub repositories, including its AWS JavaScript SDK, putting every AWS environment at risk."
""By exploiting CodeBreach, attackers could have injected malicious code to launch a platform-wide compromise, potentially affecting not just the countless applications depending on the SDK, but the Console itself, threatening every AWS account," researchers Yuval Avrahami and Nir Ohfeld said in a report shared with The Hacker News."
"Put differently, the issue undermines webhook filters introduced by AWS to ensure that only certain events trigger a CI build. For example, AWS CodeBuild can be configured such that a build is triggered only when code changes are committed to a specific branch or when a GitHub or GitHub Enterprise Server account ID (aka ACTOR_ID or actor ID) matches the regular expression pattern. These filters serve to secure against untrusted pull requests."
A CodeBuild misconfiguration codenamed CodeBreach allowed unauthenticated attackers to potentially take over AWS-managed GitHub repositories, including the AWS JavaScript SDK, threatening all AWS environments. The vulnerability originated in CI pipeline webhook filtering that used ACTOR_ID regular expressions without proper start (^) and end ($) anchors, enabling attackers to trigger builds, access the build environment, and leak privileged credentials such as GitHub admin tokens. Compromised credentials could be used to push malicious changes to repositories and enable wide-ranging supply-chain attacks affecting numerous applications and the AWS Console. Four AWS-managed repositories were impacted and AWS fixed the issue in September 2025 after responsible disclosure on August 25, 2025.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]