Overview
- Wiz researchers detailed how unanchored ACTOR_ID regex filters let predictable GitHub actor IDs trigger privileged CodeBuild runs, enabling a demonstrable credential grab and admin access to aws-sdk-js-v3.
- AWS identified four affected open‑source repositories — aws-sdk-js-v3, aws-lc, amazon-corretto-crypto-provider, and awslabs/open-data-registry — and said no inappropriate code was introduced.
- Within 48 hours of the August 25, 2025 disclosure, AWS anchored the filters, rotated credentials, and added protections for build processes holding GitHub tokens, later introducing a Pull Request Comment Approval gate.
- AWS audited other repositories and related logs and reported finding no evidence that anyone besides the researchers used the misconfiguration, emphasizing it was not a CodeBuild service flaw.
- Wiz highlighted the potential supply-chain impact because the JavaScript SDK is widely used, including by the AWS Console, and urged CI/CD defenses such as anchoring webhook filters and restricting build-trigger permissions.