Security researchers at Wiz have exposed a hair-raising vulnerability that could have given attackers complete control over the AWS JavaScript SDK—the cornerstone library powering the AWS Console and two-thirds of all cloud environments.
Dubbed "CodeBreach," the flaw stemmed from just two missing characters in a regular expression filter within AWS's CodeBuild CI pipelines. Those absent symbols—a caret (^) and dollar sign ($)—created an opening for unauthenticated attackers to hijack privileged credentials and inject malicious code directly into AWS's core infrastructure.
The attack vector was deceptively simple yet devastatingly effective. AWS repositories used an ACTOR_ID filter to whitelist trusted maintainers by their GitHub user IDs. However, without proper regex anchoring, the filter accepted any ID that merely contained an approved number as a substring—not an exact match.
Wiz researchers exploited this by gaming GitHub's sequential ID assignment system. They created hundreds of bot accounts simultaneously, racing to claim a user ID like "226755743" that contained a trusted maintainer's shorter ID. Once obtained, their malicious bot could bypass security checks and trigger builds that exposed GitHub credentials stored in CodeBuild's memory.
"This vulnerability is a textbook example of why adversaries target CI/CD environments: a subtle, easily overlooked flaw that can be exploited for massive impact," the researchers noted.
The blast radius was staggering. The compromised aws-sdk-js-automation account held admin privileges across multiple repositories, including three private AWS mirrors. With 66% of cloud environments running the JavaScript SDK, a successful attack could have cascaded across the entire AWS ecosystem—including the Console itself, which bundles SDK versions released just weeks earlier.
AWS remediated all issues within 48 hours of disclosure and confirmed no malicious exploitation occurred. The company also rolled out global CodeBuild hardening measures, including a new Pull Request Comment Approval gate.
Immediate Action Required: CodeBuild users should enable the new approval gate, anchor all regex webhook filters with ^ and $ symbols, and limit GitHub Personal Access Tokens to the minimum required permissions.
This incident mirrors recent supply chain attacks like Nx S1ngularity and last July's Amazon Q VS Code breach—underscoring an urgent reality: CI/CD pipelines have become the new frontier for high-impact cyberattacks.