AWS CodeBuild Misconfiguration Exposed GitHub Repos to Supply Chain Attacks

A major security misconfiguration in Amazon Web Services (AWS) CodeBuild has recently endangered the company's most significant open-source projects, among which the popular AWS JavaScript SDK is included. The flaw, codenamed CodeBreach by the cloud security company Wiz who found it, might have given hackers a chance to take control of AWS's GitHub repositories and introduce harmful code into the software that millions of developers worldwide rely upon.

AWS has acknowledged that the problem was resolved in September 2025 and no active exploitation was observed, but the case serves as a reminder that CI/CD pipelines are very vulnerable and can get messed up even if only a minor configuración mistake was made.

What Was CodeBreach?

The CodeBreach incident was caused by a flaw in the AWS CodeBuild webhook filters, which are used to manage the automation of builds from GitHub. These filters are particularly critical since beredg's environments may have access to sensitive information like GitHub admin tokens, API keys, or even secrets of deployment.

There were a number of AWS-managed repos that utilized regex filters to determine which GitHub users would be able to trigger builds. Unfortunately, the regex patterns could not be used properly as they were -the critical anchors (^ and $) that guarantee exact matches were missing.

Consequently, the malicious ones were able to go around the filters by registering GitHub accounts whose numeric user IDs simply had the approved one as a part of the longer number. The mistake that was so hard to notice allowed the unauthorized users to control the surgical builds and, at the same time, go through the security measures and take the credentials present in the build environment.

Repositories Affected

According to Wiz, the misconfiguration impacted several high-profile AWS open-source projects:

• Aws-sdk-js-v3
• Aws-lc
• Amazon-corretto-crypto-provider
• awslabs/open-data-registry

These repositories are foundational to modern cloud development workflows. A compromise in any one of them could have triggered a large-scale software supply chain attack, affecting applications and infrastructure across thousands of organizations.

How the Attack Could Have Worked

User IDs at GitHub are assigned in a sequential manner. The researchers from Wiz found out that the attackers could easily predict the future IDs and thus create bot accounts until one was able to get through the AWS webhook filter by matching a certain pattern. Such an account, after creating a build, would then have access to the GitHub credentials that are kept in the AWS CodeBuild environment, including the Personal Access Token (PAT) with full administrative rights over the repository. The attackers, at that point, could do the following things:

• Transfer harmful code directly to the primary branch
• Allow disapproved pull requests to get through
• Steal repository secrets
• Insert backdoors into SDKs and dependencies

This would have given the attackers a chance to infect the software updates that were being distributed to the developers all around the world - thereby causing a worst-case situation in the cloud security domain.

AWS Response and Remediation

AWS has recognized the problem and clarified that the source of the problem was misconfigurations at the project level rather than a defect in the CodeBuild service. The company resolved the impacted pipelines in September 2025 following responsible disclosure on August 25, 2025.

Along with this, AWS also tightened overall security and added new measures, including the following:

• rotating the exposed credentials
• hardening build environments
• improving filtering configurations for webhooks
• securing memory during building processes that involve secret storage

Most notably, AWS claimed that it had no indication of any exploitation of CodeBreach in the wild.

Why CI/CD Pipelines Are High-Value Targets

CI/CD environments are becoming a major target increasingly, as they are dislocated between 

• Untrusted outside input (webhooks, forks, pull requests)
• Privileged credentials (secrets, tokens, keys, and others for deployment)
• Automated execution pipelines

This mixture can lead to disasters even for very minor configuration errors. Wiz researchers characterized CodeBreach as a classic case of how attackers take advantage of very small defects for huge consequences - without prior access or insider knowledge being necessary.

Best Practices to Prevent CI/CD Supply Chain Attacks

In order to minimize the chances of having vulnerabilities of the same kind, organizations ought to:

1. Not allow the execution of control pipelines on untrusted pull requests
2. Make it mandatory to have pull request approval gates before the build takes place
3. Implement anchored regex patterns (^...$) in webhook filters
4. Issue different tokens with the least privileges for each CI project
5. Keep the secrets in secure environments and change the credentials frequently
6. Use non-privileged GitHub accounts for CI automation
7. Keep an eye on the unusual pipeline triggers and access pattern

If an attacker chooses to target build infrastructure, these measures will significantly reduce the area of effect.

Part of a Larger Industry Trend

CodeBreach is just the tip of the iceberg. In the last two years, various researchers have identified serious vulnerabilities in CI/CD pipelines of big platforms:

• Sysdig disclosed that GitHub Actions workflows that used the pull_request_target trigger and were configured insecurely, could lead to secret tokens being leaked.
• Orca Security then mentioned the same kind of vulnerabilities found in projects of Google, Microsoft, NVIDIA, and other Fortune 500 companies, labeling it as the pull_request_nightmare campaign.

In most scenarios, hackers had the ability to go from a pull request to remote code execution and total control of the repository without ever coming into contact with the production environment of the company.

Final Thoughts

The AWS CodeBuild configuration error is a major consumer of the CI/CD security as a supply chain security. The modern development pipelines are automated to a great extent, very much interconnected, and heavily credentialed. Therefore, they represent one of the most attractive attacks surfaces in the cloud environments.

Also, just a small oversight like an unintentional omission of a regex anchor could allow even the most trusted software ecosystems on the planet to suffer a devastating breach. Therefore, as organizations keep on scaling their DevOps operations, making the security of the build pipelines equivalent to the security of production systems will become necessary.