AWS CodeBuild Misconfiguration Exposed GitHub Repos to Potential Supply Chain Attacks

Yikes — AWS just patched a critical misconfiguration in CodeBuild that could've let attackers bypass GitHub actor ID checks and potentially take over four AWS GitHub repos. This wasn't some theoretical vuln — it was live and could've triggered full-blown supply chain attacks.

The flaw? A misconfigured webhook in AWS CodeBuild that didn't properly validate GitHub actor IDs. Translation: attackers could've spoofed legit GitHub users and push malicious code directly into AWS's own repos. Think about that — AWS's own CI/CD pipeline had a backdoor.

Security researchers at Wiz discovered this mess and reported it to AWS in September 2025. AWS fixed it fast, but here's the scary part: this wasn't just about stealing code. Successful exploitation could've let attackers inject malware into AWS's open-source projects, creating downstream supply chain attacks affecting thousands of orgs.

This is exactly why cloud security pros need to audit their CI/CD pipelines. AWS CodeBuild is supposed to be secure-by-default, but this shows even the big players can mess up webhook configurations. The fix? AWS tightened up those actor ID checks — but the window of vulnerability was real.

Bottom line: If you're using AWS CodeBuild with GitHub webhooks, double-check your configurations. This bug shows how a simple misconfiguration can create a direct path from your CI/CD pipeline to your source code repos. Supply chain attacks aren't just theoretical — they start with vulns like this.