CyberWire Daily A subtle flaw, a massive blast radius. [Research Saturday]
4 snips
Mar 21, 2026 Yuval Avrahami, vulnerability researcher at Wiz who led the CodeBreach investigation, explains how a tiny CI/CD misconfiguration opened the door to hijacking major AWS GitHub repositories. He describes the unanchored regex flaw, how builds could be triggered to steal credentials, and why public repos and pipelines are high-value targets. The discussion covers attack steps and AWS’s remediation.
AI Snips
Chapters
Transcript
Episode notes
Real Attack Sparked The CodeBreach Investigation
- Wiz started investigating after seeing a real threat actor take over an AWS GitHub repository via a CodeBuild issue.
- That incident drove the team to search public CodeBuild projects and inspect configurations, uncovering the regex problem.
Unanchored Regex In CodeBuild Broke Intended Access
- AWS CodeBuild webhook filters used an unanchored regex, so approved maintainer IDs allowed any GitHub user ID that contained them.
- Wiz found maintainer lists separated by pipe characters that were interpreted as regex, enabling broader matches than intended.
A Single PR Can Yield Full Repository Takeover
- A triggered build runs code alongside powerful GitHub credentials, so a malicious PR can yield repository takeover.
- Attack flow: register a crafted GitHub username, open a PR, cause CodeBuild to run, then exfiltrate credentials from the build environment.