A critical misconfiguration in the Amazon Web Services (AWS) CodeBuild service has exposed several AWS-managed GitHub repositories to potential supply chain attacks, experts warn.
Security researcher As discovered the error and reported it to AWS, which helped resolve the issue.
AWS CodeBuild is a fully managed Amazon Web Services service that automatically creates and packages source code as part of a CI/CD pipeline. Run build jobs in isolated environments and scale as needed.
Code Violation
Wiz’s report describes a misconfiguration in the way AWS CodeBuild checked which GitHub users had permission to trigger build tasks. The system used a model that did not require an exact match, allowing attackers to predict and retrieve new credentials that contained trusted credentials as substrings, bypass the filter, and trigger privileged builds.
This allowed untrusted users to launch privileged build processes, which in turn could expose powerful GitHub access tokens stored in the build environment.
The vulnerability, dubbed “CodeBreach,” could have allowed platform-wide compromise and potentially impacted countless AWS applications and customers by distributing hijacked software updates.
Fortunately, Wiz seems to have discovered it before any malicious actors, as there is no evidence that CodeBreach has been abused in the wild.
AWS has apparently fixed misconfigured webhook filters, credential rotation, secure build environments, and “added additional security measures.” The company also said that the issue was project-specific and was not a bug in the CodeBuild service itself.
“AWS has investigated all concerns reported by the Wiz research team in ‘AWS Console Supply Chain Infiltration: Hijacking Core AWS GitHub Repositories via CodeBuild,'” read a statement shared with Wiz.
“In response, AWS has taken a number of steps to mitigate any issues discovered by Wiz, as well as additional measures and mitigations to protect against potential similar future issues. The primary issue of actor ID skipping due to unpinned regular expressions for the identified repositories was resolved within 48 hours of initial disclosure. Additional mitigations have been implemented, including additional protections for all build processes that contain Github tokens or other credentials in memory.
“In addition, AWS reviewed all other public build environments to ensure that no such issues existed in the AWS open source domain. Finally, AWS reviewed the logs of all public build repositories, as well as the associated CloudTrail logs, and determined that no other actors had exploited the unpinned regular expression issue demonstrated by the Wiz research team.”
“AWS has determined that the identified issue does not impact the confidentiality or integrity of the customer’s environment or the AWS service.”
Wiz reported the misconfiguration to AWS in late August 2025 and AWS fixed it shortly after. However, both companies recommend users review their CI/CD configurations, pin webhook regex filters, limit token permissions, and ensure that untrusted pull requests cannot trigger privileged build channels.
