Key AWS-owned GitHub repositories, including the popular AWS JavaScript SDK that powers the AWS Console itself, were taken over by unauthenticated attackers due to a crucial misconfiguration in AWS CodeBuild This article explores ids attack aws. . This supply chain vulnerability could potentially introduce malicious code into applications and the Console in numerous AWS environments, posing a threat to platform-wide compromise.

CodeBreach originated from unanchored regular expression patterns in CodeBuild webhook filters for the ACTOR_ID parameter, which should limit builds to trusted GitHub user IDs, according to AWS Console Supply Chain Attack Security firm Wiz Research. The filter matched any user ID that contained an authorized substring in the absence of ^ and $ anchors, enabling circumvention through "eclipse" events in which longer GitHub IDs incorporate older maintainer IDs.

Attack on the AWS Console Supply Chain For the targeted 6-7 digit IDs in four AWS repos—aws/aws-sdk-js-v3, aws/aws-lc, corretto/amazon-corretto-crypto-provider, and awslabs/open-data-registry—such overlaps were common due to GitHub's sequential ID assignment, which generates roughly 200,000 each day. Attackers take advantage of this by using the manifest flow to create a large number of GitHub Apps in order to compete for Eclipse IDs, after which they submit pull requests that cause privileged builds. Learn more A book on cyber security Free and open firewall program Consulting services for cybersecurity Network of Zero Trust Obtain solutions Cybersecurity Preventing cyberattacks Plan for responding to attacks Firewalls Review of malware VAPT tools In a proof-of-concept against aws/aws-sdk-js-v3 (PR #7280), hidden payload code dumped memory to extract a GitHub Personal Access Token (PAT) from the aws-sdk-js-automation account, despite prior mitigations from the 2025 Amazon Q incident.

Exploit for CodeBreach Collaborator invites for admin escalation and direct main branch pushes were made possible by the PAT's grant of repo and admin:repo_hook scopes. Wiz told CybersecurityNews that compromising the JavaScript SDK could potentially infect its weekly NPM releases, impacting 66% of scanned cloud environments and the AWS Console, which combines the most recent SDK versions with user credentials. Similar to Nx S1ngularity or the Amazon Q attack (AWS-2025-015), the stolen PAT also controlled associated private repos, increasing supply chain risks.

Wiz responsibly disclosed on August 25, 2025, that it had stopped escalation after PoC.

Maintainer ID Example for Affected Repositories Short 6-7-digit Eclipse Frequency aws/aws-sdk-js-v3 About every five days, aws/aws-lc 6-7 short numbers Corretto/amazon-corretto-crypto-provider every approximately five days 6-7 short numbers Every five days or so, awslabs/open-data-registry 6-7 short numbers Every five days or so Within 48 hours, AWS fixed the regex vulnerability, revoked tokens, strengthened memory protections, audited public builds, and verified through logs that there was no exploitation. There was no impact on customer data. Untrusted builds are now blocked by new features like CodeBuild-hosted runners and Pull Request Comment Approval.

Learn more about code scanning tools and online gaming infrastructure. Network of Zero Trust Obtain solutions Toolkit for the Red Team Combined threat management Firewalls with UTM System of operation Plan for responding to attacks Malware Software for computer security A course on ethical hacking Webhook regexes should be anchored, fine-grained PATs with minimal scopes should be used, PR approval gates should be enabled, and Wiz queries should be used to scan for vulnerable setups. Disabling auto-PR builds from unreliable sources was advised by AWS.

The path from malicious PR to console risk is shown in the attack flow diagram. This emphasizes that CI/CD are prime targets because they are complicated, privilege-rich, and exposed to untrusted input. On January 15, 2026, it was made public. For daily cybersecurity updates, check out LinkedIn and X.

To have your stories featured, get in touch with us.