A simple CodeBuild flaw put every AWS environment at risk – and pwned ‘the central nervous system of the cloud’

Steven

A simple CodeBuild flaw put every AWS environment at risk – and pwned ‘the central nervous system of the cloud’

Summary

Wiz security researchers disclosed a supply‑chain vulnerability dubbed “CodeBreach” in AWS CodeBuild. The root cause was a trivial misconfiguration: unanchored regular expressions (regex) in the ACTOR_ID webhook filter used to restrict which GitHub users can trigger builds. Without start (^) and end ($) anchors, an attacker can create a bot user ID that contains an approved maintainer’s ID and bypass the allow‑list.

Wiz automated GitHub App creation to obtain such a bot ID, submitted a pull request that looked legitimate but included an NPM dependency designed to run during the build, and used it to exfiltrate GitHub credentials for the aws/aws-sdk-js-v3 project. They escalated privileges to create repo administrators and demonstrated how an attacker could insert malicious code into a widely used SDK — potentially affecting downstream users and even the AWS Console itself. Wiz disclosed the flaw to AWS in August; AWS remediated the issue in September and reports no customer impact after auditing builds and logs.

Key Points

  • CodeBreach arose from unanchored regexes in CodeBuild webhook filters (ACTOR_ID), allowing superstring GitHub IDs to bypass allow‑lists.
  • Wiz automated GitHub App creation to obtain a matching bot ID, then used a malicious NPM dependency in a pull request to extract repository credentials during a build.
  • The team gained admin control over aws/aws-sdk-js-v3 and other repos, giving a clear path to inject backdoors into an SDK used by an estimated 66% of cloud environments, including the AWS Console.
  • AWS fixed the configuration within 48 hours of disclosure, audited public builds and CloudTrail logs, and states there was no impact on customer confidentiality or integrity.
  • Researchers warn the underlying risk is universal across CI/CD tooling (GitHub Actions, Jenkins, cloud CI), not unique to AWS; build‑time credentials and trigger rules are a widespread blind spot.

Context and relevance

This finding combines a tiny configuration mistake with normal developer workflows to create massive blast radius. CI/CD pipelines often run with credentials in memory and trigger builds automatically; that combination makes supply‑chain attacks both scalable and stealthy. The incident is a clear reminder that automation can amplify minor errors into global risks.

Organisations running public builds or embedding tokens in build environments should review webhook filters, anchor regexes, minimise credentials available to builds, rotate tokens, restrict public projects, and monitor CI/CD logs and CloudTrail for suspicious activity.

Why should I read this?

Because it’s disturbingly easy. Two missing regex anchors + a bot account = a path to slip code into libraries millions of apps use. If you care about supply‑chain safety, CI/CD hygiene or keeping your cloud environment off the nightly headlines, this is essential reading.

Author style

Punchy — this isn’t a minor patch note. It’s a supply‑chain howler that could have cascaded into catastrophic, global impact. If you’re responsible for CI/CD or cloud security, treat the technical checks here as must‑do actions.

Source

Source: https://go.theregister.com/feed/www.theregister.com/2026/01/15/codebuild_flaw_aws/