Overview
- Wiz Research found a CodeBuild misconfiguration where an unanchored ACTOR_ID regex, missing two characters, let untrusted pull requests trigger privileged builds.
- The team demonstrated admin-level takeover of the aws/aws-sdk-js-v3 repository by extracting GitHub credentials from build memory and escalating access.
- Researchers leveraged GitHub’s sequential numeric user IDs to bypass the filter and said the same weakness existed in at least three other AWS-linked repositories, including aws-lc, amazon-corretto-crypto-provider, and awslabs/open-data-registry.
- Wiz highlighted the outsized risk because the AWS SDK for JavaScript is widely used, estimating presence in roughly 66% of cloud environments and noting its role in the AWS Console.
- AWS anchored the filters, revoked exposed credentials, added protections against memory-based credential theft, introduced a Pull Request Comment Approval gate, and reported no signs of exploitation or customer impact.