What happened
Wiz researchers disclosed a supply chain vulnerability in AWS Console CodeBuild that allowed attackers to hijack GitHub repositories and inject malicious code. The flaw stemmed from unanchored regular expressions in webhook filters for the ACTOR_ID parameter, which should have restricted builds to trusted GitHub user IDs. Attackers could exploit “eclipse events,” where new GitHub user IDs contained substrings of trusted IDs, to bypass filters. Four AWS repositories were affected: aws/aws-sdk-js-v3, aws/aws-lc, corretto/amazon-corretto-crypto-provider, and awslabs/open-data-registry. In a proof-of-concept, the researchers showed that a stolen GitHub Personal Access Token (PAT) could allow repo admin escalation and unauthorized main branch pushes, risking propagation of malicious code into AWS SDK releases and potentially affecting the AWS Console and associated cloud environments.
Who is affected
Organizations using affected AWS SDKs or managing enterprise workloads through AWS Console are indirectly exposed. Any environment incorporating the compromised SDKs or dependent on affected repositories faced potential risk, although AWS logs indicate no exploitation occurred.
Why CISOs should care
Supply chain vulnerabilities in widely used cloud platforms can result in cascading impacts across hundreds of thousands of enterprise cloud environments, creating opportunities for code injection, privilege escalation, and exposure of sensitive credentials.
3 practical actions
- Review CI/CD security: Audit AWS CodeBuild configurations, webhook filters, and PAT scopes to prevent untrusted build execution.
- Harden repository access: Limit GitHub PAT privileges and enable multi-factor authentication for repository maintenance accounts.
- Monitor SDK usage and updates: Ensure all production environments are using verified, updated AWS SDK versions and track for unusual pull requests or unauthorized code changes.