Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
SharkLoader Malware Uses Fake Cisco AnyConnect, Google Updates
July 3, 2026
Apple iOS 17 Scam Alerts Protect iPhone Users From Phishing
July 3, 2026
Former MEP Investigating Spyware Abuses Hacked With Pegasus
July 3, 2026
Home/CyberSecurity News/New AWS Console Supply Chain Attack Lets Attackers Hijack AWS GitHub Repositories
CyberSecurity News

New AWS Console Supply Chain Attack Lets Attackers Hijack AWS GitHub Repositories

Unauthenticated attackers exploited a critical misconfiguration in AWS CodeBuild, gaining control of key AWS-owned GitHub repositories. This compromise notably included the AWS JavaScript SDK, a...

Marcus Rodriguez
Marcus Rodriguez
January 16, 2026 2 Min Read
29 0

Unauthenticated attackers exploited a critical misconfiguration in AWS CodeBuild, gaining control of key AWS-owned GitHub repositories. This compromise notably included the AWS JavaScript SDK, a widely used component that powers the AWS Console itself.

This supply chain vulnerability threatened platform-wide compromise, potentially injecting malicious code into applications and the Console across countless AWS environments.

AWS Console Supply Chain Attack

Security firm Wiz Research has exposed that CodeBreach originated from unanchored regular expression patterns in CodeBuild webhook filters for the ACTOR_ID parameter, which should restrict builds to trusted GitHub user IDs.

Without ^ and $ anchors, the filter matched any user ID containing an approved substring, allowing bypass via “eclipse” events where new, longer GitHub IDs incorporate older maintainer IDs.

AWS Console Supply Chain Attack
AWS Console Supply Chain Attack

GitHub’s sequential ID assignment, creating about 200,000 daily, made such overlaps frequent for the targeted 6-7 digit IDs in four AWS repos: aws/aws-sdk-js-v3, aws/aws-lc, corretto/amazon-corretto-crypto-provider, and awslabs/open-data-registry.

Attackers exploit this by mass-creating GitHub Apps via the manifest flow to race for eclipse IDs, then submitting pull requests that trigger privileged builds.

In a proof-of-concept against aws/aws-sdk-js-v3 (PR #7280), hidden payload code dumped memory to extract a GitHub Personal Access Token (PAT) from the aws-sdk-js-automation account, despite prior mitigations from the 2025 Amazon Q incident.

AWS Console Supply Chain Attack
CodeBreach Exploit

The PAT granted repo and admin:repo_hook scopes, enabling collaborator invites for admin escalation and direct main branch pushes.

Compromising the JavaScript SDK risked infecting its weekly NPM releases, affecting 66% of scanned cloud environments and the AWS Console, which bundles recent SDK versions with user credentials, Wiz said to CybersecurityNews.

The stolen PAT also controlled related private repos, amplifying supply chain risks akin to Nx S1ngularity or the Amazon Q attack (AWS-2025-015). Wiz halted escalation post-PoC, responsibly disclosing on August 25, 2025.

Affected Repositories Maintainer ID Example Eclipse Frequency
aws/aws-sdk-js-v3 Short 6-7 digits Every ~5 days
aws/aws-lc Short 6-7 digits Every ~5 days
corretto/amazon-corretto-crypto-provider Short 6-7 digits Every ~5 days
awslabs/open-data-registry Short 6-7 digits Every ~5 days

AWS fixed the regex flaw within 48 hours, revoked tokens, hardened memory protections, audited public builds, and confirmed no exploitation via logs.

No customer data was impacted. New features like Pull Request Comment Approval and CodeBuild-hosted runners now block untrusted builds.

Users should anchor webhook regexes, use fine-grained PATs with minimal scopes, enable PR approval gates, and scan for vulnerable setups via Wiz queries.

AWS urged disabling auto-PR builds from untrusted sources. The attack flow diagram highlights the path from malicious PR to Console risk.

This underscores CI/CD as prime targets: complex, privilege-rich, and untrusted-input exposed. Public disclosure followed on January 15, 2026.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackBreachCybersecurityExploitSecurityThreatVulnerability

Share Article

Marcus Rodriguez

Marcus Rodriguez

Marcus is a security researcher and investigative journalist with expertise in vulnerability research, bug bounties, and cloud security. Since 2017, Marcus has been breaking stories on critical vulnerabilities affecting major platforms. His investigative work has led to the disclosure of numerous security flaws and improved defenses across the industry. Marcus is an active participant in bug bounty programs and has been recognized for responsible disclosure practices. He holds multiple security certifications and regularly speaks at industry events.

Previous Post

Promptware Kill Chain – Five-Step Kill Chain Model for Analyzing Cyberthreats

Next Post

Go 1.25.6 and 1.24.12 Patch Critical Vulnerabilities Lead to DoS and Memory Exhaustion Risks

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
North Korean Hackers Conceal JavaScript Loaders in Open Source Repos
July 3, 2026
AI Used in Ticketmaster Attack to Score Free Tickets
July 3, 2026
Anthropic Details Claude 3.5 Sonnet Safeguards and Jailbreak Framework
July 3, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us