Wiz Research has exposed that CodeBreach originated from unanchored regular expression patterns in CodeBuild webhook filters for the ACTOR_ID parameter, which should restrict builds to trusted GitHub user IDs.
Without ^ and $ anchors, the filter matched any user ID containing an approved substring, allowing bypass via “eclipse” events where new, longer GitHub IDs incorporate older maintainer IDs.
This supply chain vulnerability threatened platform-wide compromise, potentially injecting malicious code into applications and the Console across countless AWS environments.
GitHub’s sequential ID assignment, creating about 200,000 daily, made such overlaps frequent for the targeted 6-7 digit IDs in four AWS repos: aws/aws-sdk-js-v3, aws/aws-lc, corretto/amazon-corretto-crypto-provider, and awslabs/open-data-registry.
Attackers exploit this by mass-creating GitHub Apps via the manifest flow to race for eclipse IDs, then submitting pull requests that trigger privileged builds.
In a proof-of-concept against aws/aws-sdk-js-v3 (PR #7280), hidden payload code dumped memory to extract a GitHub Personal Access Token (PAT) from the aws-sdk-js-automation account, despite prior mitigations from the 2025 Amazon Q incident.
The PAT granted repo and admin:repo_hook scopes, enabling collaborator invites for admin escalation and direct main branch pushes.
Compromising the JavaScript SDK risked infecting its weekly NPM releases, affecting 66% of scanned cloud environments and the AWS Console, which bundles recent SDK versions with user credentials, Wiz said to CybersecurityNews.
The stolen PAT also controlled related private repos, amplifying supply chain risks akin to Nx S1ngularity or the Amazon Q attack (AWS-2025-015). Wiz halted escalation post-PoC, responsibly disclosing on August 25, 2025.
| Affected Repositories | Maintainer ID Example | Eclipse Frequency |
|---|---|---|
| aws/aws-sdk-js-v3 | Short 6-7 digits | Every ~5 days |
| aws/aws-lc | Short 6-7 digits | Every ~5 days |
| corretto/amazon-corretto-crypto-provider | Short 6-7 digits | Every ~5 days |
| awslabs/open-data-registry | Short 6-7 digits | Every ~5 days |
AWS fixed the regex flaw within 48 hours, revoked tokens, hardened memory protections, audited public builds, and confirmed no exploitation via logs.
No customer data was impacted. New features like Pull Request Comment Approval and CodeBuild-hosted runners now block untrusted builds.
Users should anchor webhook regexes, use fine-grained PATs with minimal scopes, enable PR approval gates, and scan for vulnerable setups via Wiz queries.
AWS urged disabling auto-PR builds from untrusted sources. The attack flow diagram highlights the path from malicious PR to Console risk.
AWS Spokesperson said to CybersecurityNews that “AWS immediately investigated Wiz’s research and found that there was no impact on the confidentiality or integrity of any customer environment or AWS service. To mitigate any potential future threats related to the findings, we implemented additional remediations”.
This underscores CI/CD as prime targets: complex, privilege-rich, and untrusted-input exposed. Public disclosure followed on January 15, 2026.
Powered by
