AWS CodeBuild Misconfiguration Exposed GitHub Repos: CodeBreach Explained

January 15, 2026, After Official AWS Advisory: What happened when an AWS CodeBuild webhook setup was wrong, and why is this important for developers and businesses that use AWS and GitHub in their CI/CD pipelines? In simple terms, a subtle misconfiguration in AWS CodeBuild webhook filters could have given attackers a way to bypass intended protections and trigger privileged builds on trusted repositories.

This flaw, called CodeBreach, showed how dangerous continuous integration systems can be for the supply chain and how even small configuration mistakes can lead to big security problems. AWS's public records and those of independent security researchers back up this flaw and the steps AWS took to fix it.

This article explains what the AWS CodeBuild misconfiguration exposed GitHub repos incident was about, why it mattered, and how developers and security teams can learn from it to reduce AWS CodeBuild supply chain security risks in their own environments.

What Happened

In late 2025, Wiz's cloud security researchers found a serious flaw in some AWS CodeBuild webhook settings that were linked to GitHub repositories. AWS keeps these repositories up to date. They include important open-source projects like the AWS JavaScript SDK and crypto libraries that are hosted on GitHub. Because the actor ID filter in the webhook settings was set up incorrectly, attackers could have started building processes that were only meant for trusted contributors.

To get this, we need to look at how webhook filters are supposed to work. GitHub uses webhooks to let outside services like AWS CodeBuild know when something happens in the repository, like a new pull request or a code push. These webhooks have parameters like ACTOR_ID, which should limit build triggers to certain GitHub user accounts, usually those of trusted bots or maintainers.
But the filter's regular expression (regex) didn't have any exact match anchors in this case. This meant that the filter let any user ID that had the trusted ID as a substring pass, instead of only letting one trusted user ID pass. This allowed for the creation of a new, longer GitHub user ID that got around the intended limits.

This situation shows a bigger problem in software development today: security risks in continuous integration can come not only from bugs in the tools themselves but also from the way maintainers set up trust and automation in development workflows.

What Was the Misconfiguration, Exactly?

Let's look at this more technically while still keeping the big picture in mind:

What Webhook Filters Do

Webhook filters in AWS CodeBuild use patterns like regular expressions to figure out if a commit, pull request, or other event should start a build. For instance, a company might only want trusted contributors to start builds that use sensitive credentials or go live. This is an important part of AWS CodeBuild supply chain security because privileged builds can leak tokens or secrets.
The Regex Issue

This is the regex pattern that the webhook filters in a few AWS-managed GitHub repositories:
755743, 123456, or 987654

It didn't just match those exact IDs; it also matched any ID that had one of those numbers in it. For instance, an attacker could make a GitHub app that made bot accounts with IDs like 226755743. That longer number "matched" because it had the trusted ID pattern in it, which let it through the filter rules. Security researchers could tell when new GitHub user IDs would "eclipse" trusted IDs, which meant they could be used to start builds.

This shows a classic case wherethe improper configuration of filters that are intended to be strict ended up being far too permissive. This permissiveness could let an attacker run builds and get to privileged tokens or credentials that are stored in memory while the build is running.
What Attackers Could Have Done

An attacker could have done the following in the worst case:
• Started builds with accounts that weren't authorized and passed the broken regex filter.
• Got into a build environment that had special GitHub Personal Access Tokens (PATs).
• Used those tokens to send bad code to the repositories that were affected.
• Approved pull requests or stole secrets from the repository.
• Put bad code into SDKs or libraries that are used by a lot of people and that other systems depend on.

Such a compromise in a trusted repository could create a supply chain attack path that affects countless systems. A breach of this kind could have had a very wide-ranging effect because almost every AWS environment around the world relies on core AWS libraries like the JavaScript SDK.

Why This Was More Than Just a Bug

It might be tempting to dismiss this as just a small regex mistake. But the implications tell a bigger story that all software teams should pay attention to.

Complicated Supply Chain
Once attackers get privileged code access to a widely used library, they can spread bad code without directly sending it. This is the essence of a supply chain attack, where a compromised component propagates risk to every system that depends on it. When not set up correctly, GitHub repository webhook misconfigurations, like the one shown here, are a weak point in CI/CD supply chain defenses.

Levels of Privilege in the Pipeline
During builds, modern CI/CD systems often have privileged tokens and credentials that can be used. If someone who shouldn't be able to trigger a build does so and the build environment leaks a token through memory or logs, that token could be used to take over the repository or move laterally. One AWS security bulletin talked about a different risk: untrusted pull request builds could leak repository tokens through memory dumps.
The main point is that you need to carefully separate and check privileged pipelines. If filters or permissions are set up incorrectly, access that was meant to be tightly controlled can be opened up.

AWS Response and Fix

After Wiz responsibly told AWS about the flaw in August 2025, AWS acted right away. The main problem with the regex filters was fixed within 48 hours by anchoring the patterns so that they only match exact matches. AWS also changed the credentials that were being used in the affected build configurations and added more ways to protect build processes that have keys or tokens in memory.

AWS also checked all of the other public build configurations to find any similar problems and checked the CloudTrail logs to make sure there was no evidence of exploitation. AWS's public advisory confirmed that none of the affected repositories were hacked in the wild.

This is good to know, but it's important for teams to remember that these kinds of problems can happen at any size of provider, not just big ones like AWS. There have been reports of similar misconfigurations in other CI systems and GitHub Actions workflows where pull request triggers were not set up correctly.

More general lessons for CI/CD teams

This event teaches software developers today useful lessons:

Check the CI/CD configuration often
One example of a CI/CD pipeline security flaw is a webhook filter that is set up incorrectly. Regular audits, both automated and manual, can help find mistakes like regexes that aren't anchored, event triggers that are too broad, or extra permissions that aren't needed. It's easy but effective to make sure that only exact match filters are being used and that PATs have the least amount of permissions they need.

Follow the Least Privilege Principles
Don't give build jobs more permissions than they need. This means setting limits on token scopes and changing tokens often. In the AWS world, using separate GitHub accounts that aren't linked to any other accounts for build integration and making unique PATs for each project lowers the risk.

Separate Contributions You Don't Trust
Pull requests that aren't trusted shouldn't directly start privileged pipelines. Instead, think about using the pull request comment approval build gate in AWS CodeBuild. This only startsbuildings after a maintainer approves the trigger. This adds a layer of manual validation and prevents untrusted code from running in high-privilege contexts.
Stay Updated With Security Best Practices.

Cloud services and CI/CD tools often add new settings that help keep pipelinessecure. Keeping up with service updates can help you avoid missing weaknesses, whether they are organization-level webhook support, better filter mechanisms, or audit tools.

Context of Supply Chain Risk

The AWS CodeBuild misconfiguration that exposed GitHub repos is part of a larger trend in the industry. Attacks like the GhostAction incident on GitHub in 2025 showed how easy it is for secrets and tokens to get around when workflows aren't safe.

There is a pattern to these supply chain attacks. Attackers look for the weakest part of a development tool or process and use trust between systems to their advantage. A lot of the time, the problems that cause GitHub Actions to leak secrets, webhook filters to be set up incorrectly, or credentials to be shown in build logs are not software bugs but configuration mistakes.

Questions That Are Often Asked

What is the CodeBreach vulnerability in AWS CodeBuild?
Researchers have named a serious misconfiguration in AWS CodeBuild webhook filters "CodeBreach." This flawallowedt GitHub user IDs controlled by attackers get around intended restrictions, which could have led to unauthorized builds and supply chain risk for repositories.

How can a mistake in CI/CD lead to attacks on the supply chain?
CodeBuild and other CI/CD tools often keep privileged tokens and access controls for writing to repositories or deploying software. If configuration mistakes let untrusted users start building jobs, those jobs could expose credentials or add harmful code to trusted software artifacts, which would be a supply chain compromise.

How do you protect GitHub triggers for AWS CodeBuild?
Using exact match webhook filters, rotating and limiting PAT permissions, isolating build triggers, and using approval gates for pull requests are all good ways to do things. Regular audits of configurations are important to find mistakes early.

Could wrong settings in CodeBuild make secrets public?
Yes. Triggers that are set up wrong and run build jobs with access to credentials can leak those secrets through logs, memory dumps, or by letting attackers into the build environment. Limiting access and keeping environments separate can help stop this.

Last thing to remember

The AWS CodeBuild misconfiguration that exposed GitHub repos is a great example of how small mistakes in CI/CD setups can lead to big supply chain problems. AWS and the researchers who worked on the problem did so in a responsible way, but the lessons apply to everyone. Not only should developers and security teams see CI/CD pipelines as tools for automation, but they should also see them as important infrastructure that needs good security practices, audits, and hygiene.

This event serves as a reminder that automation tools like AWS CodeBuild can speed up development, but if they aren't set up correctly and monitored closely, they can also let attackers in. Keeping code, infrastructure, and users safe will be easier if you learn from other people's mistakes and put security first.