![A subtle flaw, a massive blast radius. [Research Saturday] - CyberWire Daily cover](/_next/image?url=https%3A%2F%2Fmegaphone.imgix.net%2Fpodcasts%2F2636855c-247d-11f1-ba3d-db1cae688799%2Fimage%2F95b72a93c2ffaf8ff900d662a9bd3735.png%3Fixlib%3Drails-4.3.1%26max-w%3D3000%26max-h%3D3000%26fit%3Dcrop%26auto%3Dformat%2Ccompress&w=1920&q=75)
CyberWire Daily: Research Saturday
Episode Title: A subtle flaw, a massive blast radius.
Air Date: March 21, 2026
Host: Dave Bittner (N2K Networks)
Guest: Yuval Avrahami, Vulnerability Researcher at Wiz
Topic: Exploiting Subtle AWS CodeBuild Misconfigurations to Hijack Major GitHub Repositories
Episode Overview
This Research Saturday episode dives into a remarkable supply chain vulnerability uncovered in AWS CodeBuild’s integration with GitHub. Dave Bittner talks with Yuval Avrahami of Wiz, whose team identified and analyzed a subtle but catastrophic misconfiguration pattern that could allow attackers to hijack highly privileged AWS GitHub repositories. The discussion unpacks the technical mechanics, real-world impact, AWS’s rapid response, and crucial security lessons for teams using cloud CI/CD platforms.
Key Discussion Points and Insights
Introduction: The Discovery (01:10)
- Real-World Attack Led to Research:
Yuval Avrahami recounts how the Wiz team was drawn to investigate AWS’s CodeBuild after witnessing an attacker successfully compromise an AWS GitHub repository using a similar issue.“What actually brought it to our attention was an actual threat actor that managed to take over an AWS GitHub repository using another Codebuild issue. We saw this and we thought it's, you know, pretty insane that it's possible to do something like that.” (01:10 – Yuval Avrahami)
How AWS CodeBuild and GitHub Integration Work (02:04)
-
Purpose of CodeBuild:
- CodeBuild is AWS's managed CI/CD service for automating tests and builds when code changes are made.
- To communicate build statuses (like test results) to GitHub, CodeBuild requires GitHub credentials.
-
Why CodeBuild Is a Juicy Target:
- Those GitHub credentials are often very powerful.
- If an attacker can execute code inside a CodeBuild process, they would gain significant access—potentially to all code and secrets in the repository.
“If you are able to compromise a build that's running on CodeBuild, you could end up hijacking the entire repository. So that's why it's an interesting target for us and for attackers.” (02:04 – Yuval Avrahami)
The Subtle Flaw: Webhook Filter Regex Disaster (03:07)
-
The Intended Protection:
- CodeBuild supports webhook filters to restrict which GitHub users can trigger builds—typically via a list of user IDs.
- This filter is supposed to prevent unauthorized PRs from kicking off builds having sensitive privileges.
-
The Flawed Implementation:
- Wiz’s researchers found several AWS CodeBuild integrations where the user ID whitelist wasn’t a simple list—each ID was separated by the pipe character (
|), forming a regex pattern. - As a result, any user whose GitHub ID contained an approved maintainer's ID as a substring would be authorized.
- Wiz’s researchers found several AWS CodeBuild integrations where the user ID whitelist wasn’t a simple list—each ID was separated by the pipe character (
-
Dangerous Consequence:
Attackers could craft a GitHub username strategically, making them look like a whitelisted user and trick CodeBuild into running privileged builds on their untrusted code.
“The separator between the numbers…was a pipe character, which is quite odd for a normal list. And that was actually the clue that this is actually not a normal list…because of how regex work, it will authorize any user ID that contains an approved user id.” (03:48 – Yuval Avrahami)
Impact: Why This Problem Is So Severe (05:47)
- Not a typical “misconfiguration” visible at a glance—both AWS and the reviewers thought the controls were secure.
- The blast radius was enormous: some of the most critical AWS open-source repositories were exposed.
- The flaw would allow attackers to push malicious code, steal secrets, or become repo admins automatically.
“The impact here is really crazy…because of this subtle misconfiguration, you are able to actually take over key AWS GitHub repositories. And we're talking like some of the most crucial GitHub repositories that are used all across AWS environments.” (06:03 – Yuval Avrahami)
Tactics: How an Attacker Would Exploit This (07:44)
Step-by-step attacker scenario:
-
GitHub Account Creation:
- An attacker waits for an opportunity to register a username that contains a whitelisted maintainer’s ID as a substring (an “eclipse” moment).
- These IDs are only available to register about once every five days, requiring careful timing and rapid user registrations.
-
Abusing the Flaw:
- The attacker opens a pull request to the target repository.
- CodeBuild, due to the regex error, treats the attacker's PR as coming from an authorized user and triggers a privileged build.
-
Getting Credentials & Taking Over:
- The attacker obtains the build's GitHub credentials, essentially gaining admin rights.
- With these, they can:
- Push code,
- Exfiltrate secrets,
- Open or merge PRs,
- Release their own code,
- Completely hijack the repo.
“You just open a pull request to the GitHub repository you want to compromise…Now you have code execution in a build which has GitHub credentials…you can just do whatever you want…push malicious code. The main thing is just doing this without being noticed.” (09:23 – Yuval Avrahami)
Who Is Most At Risk? (10:26)
-
High-Risk:
- Organizations using CI/CD pipelines on public repositories (open source).
- Especially those with CI configurations visible to attackers.
-
Lower Risk:
- Private repositories (risk limited to insider threats).
“If you’re an organization that runs CI/CD builds on public repositories, you should really take notes regarding issues like this. Because what makes them crazy is that the attacker has no prior access to your organization at all…he just submits one pull request…suddenly he’s an admin…” (11:14 – Yuval Avrahami)
AWS’s Response and the Long-Term Fix (11:47)
-
AWS's Quick Action:
- AWS responded within 48 hours—removed affected filters and pushed a new security feature.
- The new default: CodeBuild now automatically checks if a pull request author has explicit permissions before running a build (no more regex manual lists).
-
Caveat for Existing Customers:
- The fix is default only for newly created CodeBuild projects.
- Customers with existing projects must manually enable the new setting—“Pull Request Comment Approval”—to benefit from the enhanced security.
“AWS now automatically has a feature that checks what is the actual permissions of the person who opened the pull request over the GitHub repositories…But…the thing is that this is the default for new CodeBuild projects…if you have a CodeBuild projects from before this issue, you need to change your settings…” (12:17 – Yuval Avrahami)
Security Lessons & Industry Takeaways (13:43)
- Managed cloud services are not “set and forget”—users must understand their configuration details.
- The “shared responsibility model” means organizations need to double-check privilege management in all integrations, especially CI/CD pipelines.
- Public-facing CI/CD is an especially dangerous attack surface and needs prioritized protection.
- Always minimize privileges and close off unnecessary exposure.
“You don’t know that if you like implement this yourself, you’re going to do necessarily a much better job…in these areas when you have like a lot of recent attacks…you really need to double check your configuration…public repositories…are open to the world and this is what makes them good targets for attackers.” (13:50 – Yuval Avrahami)
Notable Quotes & Memorable Moments
- On the oddity of the filter configuration:
“The separator between the numbers…was a pipe character…this is actually not a normal list. This is a regex expression…” (03:48 – Yuval Avrahami) - Describing attacker’s dedication:
“An ID like that is available for registration something like once every five days…you need to flood GitHub with a lot of user creation requests…” (08:08 – Yuval Avrahami) - On the blast radius:
“Such a supply chain nightmare. It’s a really, really interesting risk.” (11:32 – Yuval Avrahami) - About AWS’s response:
“Within I think 48 hours, they already mitigated all of the problematic filters and they actually released a new feature…” (11:53 – Yuval Avrahami) - Security advice:
“See ICD is such a problematic vector right now…The main point is you want to close the biggest attack surface right now, which is public repositories.” (14:00 – Yuval Avrahami)
Key Timestamps
- 01:10 – How a real attack inspired the investigation
- 02:04 – What CodeBuild is, and why it needs GitHub credentials
- 03:07 – How the regex misconfiguration opened the door to attacks
- 07:44 – Step-by-step attacker scenario
- 10:26 – Who is most at risk (public vs. private repos)
- 11:47 – AWS’s response and mitigation
- 13:43 – Security lessons for managed cloud services
Action Items for Security Teams
- Review CI/CD integrations: Double-check all user whitelists and privilege models, especially for public repos.
- Update CodeBuild projects: Ensure the new “Pull Request Comment Approval” feature is enabled for ALL projects, not just new ones.
- Audit for public config exposure: Make sure your build configs (and secrets) aren’t leaked through public repos.
- Harden supply chain links: Treat CI/CD as a key part of your security model, on par with code and infrastructure.
Reference
- Research: “Code Infiltrating the AWS Console Supply Chain and hijacking AWS GitHub repositories via CodeBuild” (linked in episode show notes)
This episode delivers a sobering but actionable look at modern CI/CD supply chain risk—reminding even mature teams that configuration subtleties can have global impacts if overlooked.