AWS CodeBuild ACTOR_ID regex bypass security flaw
Vulnerability
Summary
Hide ▲
Show ▼
AWS CodeBuild's ACTOR_ID regex filters were misconfigured, allowing a build-trigger bypass that could expose privileged GitHub tokens and enable repository takeover. The flaw affected AWS-managed repositories including aws-sdk-js-v3, aws-lc, amazon-corretto-crypto-provider, and awslabs/open-data-registry. Attackers who obtained a predictable actor ID could push malicious code, approve pull requests, and create supply-chain attack risk across AWS environments. AWS said it fixed the issue in September 2025 after responsible disclosure on August 25, 2025, and reported no evidence of exploitation in the wild.
Related Happenings
CISA contractor GitHub repository exposed internal credentials
Data Leak
First: 18.05.2026 23:48
Last: 18.05.2026 23:48
Sources 1
About this happening:
A **CISA contractor** left a public **GitHub repository** exposing **AWS GovCloud credentials** and internal access material, creating a serious **data leak** involving sensitive...
CISA contractor GitHub repository exposed internal credentials
Data LeakAbout this happening: A **CISA contractor** left a public **GitHub repository** exposing **AWS GovCloud credentials** and internal access material, creating a serious **data leak** involving sensitive...
Latest development: 22.05.2026 19:34
On May 19, Sen. Maggie Hassan and Rep. Bennie Thompson, with Rep. Delia Ramirez co-signing Thompson’s letter, sent separate letters to CISA demanding answers about the Private-CISA GitHub leak and warning that the credential exposure raised serious concerns about CISA’s internal policies, contract support, and security culture.
GitHub git push RCE (CVE-2026-3854)
Vulnerability
First: 29.04.2026 15:41
Last: 29.04.2026 15:41
Sources 1
About this happening:
GitHub patched **CVE-2026-3854**, a critical **remote code execution** flaw affecting **GitHub.com** and **GitHub Enterprise Server** that could expose **millions of private repos...
GitHub git push RCE (CVE-2026-3854)
VulnerabilityAbout this happening: GitHub patched **CVE-2026-3854**, a critical **remote code execution** flaw affecting **GitHub.com** and **GitHub Enterprise Server** that could expose **millions of private repos...
Aqua Security hit by data theft breach
Incident
First: 20.03.2026 19:47
Last: 20.03.2026 19:47
Sources 1
About this happening:
The **Aqua Security Trivy** incident involved a **supply-chain compromise** that delivered a **credential-stealing infostealer** through trusted releases and **GitHub Actions**. A...
Aqua Security hit by data theft breach
IncidentAbout this happening: The **Aqua Security Trivy** incident involved a **supply-chain compromise** that delivered a **credential-stealing infostealer** through trusted releases and **GitHub Actions**. A...
Latest development: 23.03.2026 10:31
TeamPCP broadened the Trivy supply-chain compromise by pushing trojanized Docker Hub images for Trivy 0.69.4, 0.69.5, and 0.69.6 on March 22, 2026, then defacing all 44 internal repositories in Aqua Security's aquasec-com GitHub organization by renaming them with the tpcp-docs- prefix, setting descriptions to "TeamPCP Owns Aqua Security," and exposing them publicly.
Victim organization's AWS environment hit by data theft breach
Incident
First: 11.03.2026 09:31
Last: 11.03.2026 09:31
Sources 1
About this happening:
**UNC6426** breached a victim organization's **AWS environment** and escalated to **administrator access** in **less than 72 hours**, creating immediate risk of **data theft** and...
Victim organization's AWS environment hit by data theft breach
IncidentAbout this happening: **UNC6426** breached a victim organization's **AWS environment** and escalated to **administrator access** in **less than 72 hours**, creating immediate risk of **data theft** and...
Amazon Web Services Middle East drone-strike outage
Service Disruption
First: 03.03.2026 13:44
Last: 03.03.2026 13:44
Sources 1
About this happening:
**Amazon Web Services** confirmed a **drone-strike** disruption that damaged infrastructure in its **Middle East regions** and caused an outage affecting **dozens of cloud service...
Amazon Web Services Middle East drone-strike outage
Service DisruptionAbout this happening: **Amazon Web Services** confirmed a **drone-strike** disruption that damaged infrastructure in its **Middle East regions** and caused an outage affecting **dozens of cloud service...
Timeline
-
15.01.2026 21:31 1 articles · 4mo ago
Responsible disclosure of CodeBreach in AWS CodeBuild
Initial DisclosureCloud security researchers disclosed that AWS CodeBuild webhook actor-ID regex filters for AWS-managed GitHub repositories were missing the ^ and $ anchors, allowing a superstring GitHub user ID to bypass trust checks and trigger privileged builds that could expose GitHub admin tokens and enable repository takeover.
Show sources
- AWS CodeBuild Misconfiguration Exposed GitHub Repos to Potential Supply Chain Attacks — thehackernews.com — 15.01.2026 21:31
-
15.01.2026 21:31 2 articles · 4mo ago
AWS remediates CodeBreach and adds build-process mitigations
Mitigation Patch UpdateAWS said it fixed the CodeBreach misconfiguration, rotated credentials, and added build-process mitigations for GitHub tokens in memory while stating it found no evidence of in-the-wild exploitation; AWS also recommended anchored regex patterns, the Pull Request Comment Approval build gate, CodeBuild-hosted runners, and least-privilege PATs.
Show sources
- AWS CodeBuild Misconfiguration Exposed GitHub Repos to Potential Supply Chain Attacks — thehackernews.com — 15.01.2026 21:31
- AWS CodeBuild Misconfiguration Exposed GitHub Repos to Potential Supply Chain Attacks — thehackernews.com — 15.01.2026 21:31