Summary
Wiz researchers identified a regex bug in AWS CodeBuild that allowed unauthorized takeover of core GitHub repositories, including the AWS JavaScript SDK. The flaw enabled attackers to bypass identity filters via unanchored regex patterns, risking a massive supply chain attack on the AWS Console.
Take Action:
If you use AWS CodeBuild, audit all your CI/CD pipelines to ensure regex filters have proper anchors (^ and $) and switch to fine-grained tokens with minimal permissions. Review who has access to trigger builds and enable pull request approval gates to prevent untrusted code from running in your build environments.
Read the full article on BeyondMachines
This article was originally published on BeyondMachines
Top comments (0)