Researchers have discovered CodeBreach, a serious flaw that allows the full takeover of important AWS GitHub repositories, endangering the AWS Console supply chain This article explores sdk aws vulnerability. . The vulnerability made it possible for hackers to gain access to the AWS JavaScript SDK, a fundamental library that powers the AWS Console and is utilized in about 66% of cloud environments worldwide.

JavaScript SDK for AWS The vulnerability took advantage of a minor error in the AWS CodeBuild CI pipelines that were in charge of creating and distributing the SDK. A regular expression filter governing build triggers had just two missing characters, which allowed unauthenticated attackers to enter the build environment, retrieve privileged GitHub credentials, and obtain administrative access to vital repositories.

How the Attack Occurred Unanchored regex patterns in CodeBuild webhook filters, which are intended to stop untrusted pull requests from initiating builds, were the main source of the problem. Although the regex lacked start and end anchors, these filters used the ACTOR_ID parameter to list authorized GitHub user IDs. This meant that the filter could be circumvented by any new GitHub user ID that contained an authorized maintainer's ID as a substring.

Researchers registered bot accounts whose IDs contained trusted maintainer IDs by taking advantage of GitHub's sequential ID assignment system. They claimed a target ID by using the manifest flow to automate the creation of GitHub Apps. A malicious pull request was sent to the aws-sdk-js-v3 repository.

The researchers were able to dump process memory and obtain GitHub credentials for the aws-sdk-js-automation account by using the poisoned PR to initiate a CodeBuild run. The JavaScript SDK repository and a number of associated private repositories were fully administered by these credentials. Attackers could have authorized hacked pull requests, added backdoors to weekly SDK releases that are sent to millions of applications and the AWS Console itself, and pushed malicious code straight to the main branch.

At least three additional AWS repositories were impacted by the same ACTOR_ID bypass, which may have exposed more automation accounts and even AWS employees' private GitHub credentials.

The attack comes after recent supply chain incidents, such as the July 2025 Amazon Q VS Code extension compromise, in which a threat actor inserted malicious code into production releases by taking advantage of a similar CodeBuild misconfiguration. Following Wiz's responsible disclosure, aws-sdk-js-v3 AWS quickly fixed every issue found and put platform-wide hardening measures in place within CodeBuild. Most significantly, AWS implemented a new Pull Request Comment Approval build gate that necessitates manual approval prior to the execution of untrusted PR builds.

In order to prevent similar exploitation, AWS strongly advises all CodeBuild users to enable the new PR approval gate, use fine-grained Personal Access Tokens with minimal permissions, and make sure webhook regex patterns are correctly anchored with start and end characters. However, downstream users of affected repositories are not required to take immediate action.