A subtle misconfiguration in AWS CodeBuild pipelines could have allowed attackers to hijack core GitHub repositories, threatening millions of cloud applications and the AWS Console itself.
Quick Summary – TLDR:
- CodeBreach, a critical bug in AWS CodeBuild, could have enabled full takeover of AWS GitHub repositories.
- The vulnerability risked injecting malicious code into the AWS JavaScript SDK, used by about 66 percent of cloud environments.
- Attackers could have stolen admin credentials, approved fake pull requests, and pushed backdoored updates.
- AWS fixed the issue in September 2025 and introduced new security measures, including manual PR approval gates.
What Happened?
A serious vulnerability, codenamed CodeBreach, was discovered in AWS CodeBuild, the continuous integration service used to manage the cloud giant’s open source projects. Security researchers from Wiz found that a flawed regex filter in CodeBuild’s webhook logic made it possible for unauthenticated attackers to trigger CI builds and steal admin GitHub credentials. This could have led to full compromise of the aws-sdk-js-v3 repository, the JavaScript SDK that powers the AWS Console and is integrated into most cloud setups.
We hacked the AWS JavaScript SDK, a core library powering the entire @AWScloud ecosystem – including the AWS Console itself 🤯
— Yuval Avrahami (@yuvalavra) January 15, 2026
How did we do it? Just two missing characters was all it took.
This is the story of #CodeBreach 🧵👇 pic.twitter.com/ba9jqgFrLJ
A Regex Misfire with Massive Implications
At the heart of the issue was an incorrectly written ACTOR_ID regex filter in AWS CodeBuild. Designed to block untrusted pull requests by verifying GitHub user IDs, the filter was missing the start (^) and end ($) anchors, which are essential to ensuring an exact match. Without these, any GitHub user ID containing an approved maintainer’s ID as a substring could sneak through.
Using this loophole, researchers created thousands of bot GitHub accounts until one matched the criteria, allowing them to push a pull request that looked legitimate. When triggered, this PR initiated a CodeBuild run, giving the researchers access to memory where they extracted GitHub credentials for the aws-sdk-js-automation account. These credentials had admin privileges over several AWS repositories, including private ones.
With this level of access, an attacker could:
- Push malicious code directly to the main branch.
- Approve backdoored pull requests.
- Exfiltrate repository secrets.
- Inject vulnerabilities into SDK updates distributed globally.
The misconfiguration affected at least four AWS-managed repositories, including:
- aws-sdk-js-v3
- aws-lc
- amazon-corretto-crypto-provider
- awslabs/open-data-registry
No Exploits in the Wild, but Risks Were Real
AWS responded quickly after Wiz disclosed the issue in August 2025, releasing a fix by September 2025. In a public advisory, AWS emphasized that the issue was limited to specific repositories and did not represent a flaw in the CodeBuild service itself.
“There was no impact on the confidentiality or integrity of any customer environment or AWS service,” AWS said. However, they took additional mitigation steps, including:
- Rotating all potentially exposed credentials
- Auditing other open source repositories
- Strengthening webhook logic and CI pipeline protections
Lessons from the Amazon Q Incident
The CodeBreach discovery comes just months after another supply chain scare involving the Amazon Q VS Code extension, where a similarly flawed webhook allowed unauthorized code injection. These incidents highlight a broader pattern of risk tied to CI/CD pipeline misconfigurations.
“These defects expose how overlooked pipeline logic can create massive risks, bypassing traditional defenses like credential security or malware detection,” said Janet Worthington, senior analyst at Forrester.
Best Practices Moving Forward
AWS and Wiz both recommend that teams using CodeBuild immediately implement stronger safeguards, including:
- Enabling the Pull Request Comment Approval build gate to prevent untrusted PRs from triggering builds.
- Using CodeBuild-hosted runners to manage workflows securely.
- Anchoring all regex filters with ^ and $ characters.
- Creating unique, fine-grained Personal Access Tokens (PATs) with minimal permissions for each project.
- Using unprivileged GitHub accounts for CI/CD integrations.
SQ Magazine Takeaway
Let me say this clearly. This was a near miss of massive proportions. If attackers had pulled this off, they could have slipped malware into the core SDK that runs the AWS Console and powers a huge chunk of the cloud. Millions of apps and cloud environments could have been compromised without anyone knowing. It’s a powerful reminder that one small misstep in CI/CD security can open the door to global consequences. I’m glad AWS patched it fast, but this needs to be a wake-up call for every developer and security engineer managing build pipelines.
