Search

AWS Console Supply Chain Vulnerability Exposes GitHub Repositories

Cyber threats and incidents
By John Kevin Hao

Related

Cyber threats and incidents

Fake OpenAI Repository on Hugging Face Pushes Infostealer Malware

What happened A malicious Hugging Face repository impersonating OpenAI's Privacy...
Read more
Cyber threats and incidents

Iran-Linked CyberAv3ngers Sets Sights on Water Utilities and Industrial Controllers

What happened An Iran-linked threat group known as CyberAv3ngers is...
Read more
Cyber threats and incidents

Android Malware Campaign Uses Hugging Face to Distribute Thousands of Malicious APK Variants

What happened An Android malware campaign is using the Hugging...
Read more
Cyber threats and incidents

Matanbuchus Malware Downloader Evading AV Detection

What happened The Matanbuchus malware downloader has reappeared with updated...
Read more
Cyber threats and incidents

3,280,081 Fortinet Devices Found Online With Exposed Web Properties

What happened A large-scale internet scan identified more than 3.28...
Read more

Share

What happened

Wiz researchers disclosed a supply chain vulnerability in AWS Console CodeBuild that allowed attackers to hijack GitHub repositories and inject malicious code. The flaw stemmed from unanchored regular expressions in webhook filters for the ACTOR_ID parameter, which should have restricted builds to trusted GitHub user IDs. Attackers could exploit “eclipse events,” where new GitHub user IDs contained substrings of trusted IDs, to bypass filters. Four AWS repositories were affected: aws/aws-sdk-js-v3, aws/aws-lc, corretto/amazon-corretto-crypto-provider, and awslabs/open-data-registry. In a proof-of-concept, the researchers showed that a stolen GitHub Personal Access Token (PAT) could allow repo admin escalation and unauthorized main branch pushes, risking propagation of malicious code into AWS SDK releases and potentially affecting the AWS Console and associated cloud environments.

Who is affected

Organizations using affected AWS SDKs or managing enterprise workloads through AWS Console are indirectly exposed. Any environment incorporating the compromised SDKs or dependent on affected repositories faced potential risk, although AWS logs indicate no exploitation occurred.

Why CISOs should care

Supply chain vulnerabilities in widely used cloud platforms can result in cascading impacts across hundreds of thousands of enterprise cloud environments, creating opportunities for code injection, privilege escalation, and exposure of sensitive credentials.

3 practical actions

  • Review CI/CD security: Audit AWS CodeBuild configurations, webhook filters, and PAT scopes to prevent untrusted build execution.
  • Harden repository access: Limit GitHub PAT privileges and enable multi-factor authentication for repository maintenance accounts.
  • Monitor SDK usage and updates: Ensure all production environments are using verified, updated AWS SDK versions and track for unusual pull requests or unauthorized code changes.
IMG 0514 2
+ posts

John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.

Previous article
Threat Actors Exploit Legitimate Cloud Platforms for Phishing Campaigns
Next article
Critical Go Vulnerabilities Patched in 1.25.6 and 1.24.12 Releases

Subscribe to our stories

To be updated with all the latest news, offers and special announcements.