CodeBreach: CI/CD Misconfiguration Enables Potential AWS Console Supply-Chain Compromise
Wiz Research disclosed CodeBreach, a critical supply-chain vulnerability stemming from a subtle misconfiguration in AWS CodeBuild CI pipelines that exposed core AWS GitHub repositories to takeover. By abusing unanchored regex filters in CodeBuild webhook configurations, unauthenticated attackers could bypass pull-request safeguards and execute untrusted code within privileged build environments. This flaw enabled the theft of GitHub credentials associated with highly privileged automation accounts, including those managing the aws/aws-sdk-js-v3 repository, which underpins the AWS Console itself. Successful exploitation would have allowed attackers to inject malicious code into widely distributed SDK releases, creating a platform-wide blast radius across a majority of cloud environments. The vulnerability highlights how minor CI/CD configuration errors can translate into systemic risk at hyperscale. Post-exploitation analysis demonstrated that compromised GitHub tokens held full administrative privileges, enabling direct code commits, pull-request approvals, collaborator management, and secret exfiltration across multiple repositories. The attack path mirrors recent CI/CD-centric supply-chain incidents, reinforcing a broader trend of adversaries targeting build systems due to their complexity, exposure to untrusted inputs, and access to high-value credentials. AWS remediated the issue rapidly following responsible disclosure on August 25, 2025, and met with Wiz the same day to validate the findings and scope of impact. Within 48 hours, AWS anchored the vulnerable ACTOR_ID regex filters and revoked the compromised aws-sdk-js-automation token, effectively closing the immediate exploitation path. By September 2025, it implemented additional platform-level hardening to protect credentials in CodeBuild build memory. Defenders should treat CI/CD pipelines as high-risk assets, enforce strict build gating for untrusted contributions, and minimize credential privileges to reduce the impact of inevitable misconfigurations. Defenders should treat CI/CD pipelines as high-risk assets, enforce strict build gating for untrusted contributions, and minimize credential privileges to reduce the impact of inevitable misconfigurations.
LOTUSLITE Backdoor Targets U.S. Government Entities via Geopolitical Lures
Acronis Threat Research Unit identified a targeted espionage campaign delivering a previously undocumented DLL-based backdoor, tracked as LOTUSLITE, against U.S. government and policy-related entities, although the identities of these entities are not public knowledge at the time of writing. The activity leveraged a politically themed ZIP archive referencing U.S.–Venezuela relations and relied on a simple yet reliable execution chain that used DLL sideloading. A legitimate, renamed executable was used to load a hidden, malicious DLL, enabling covert execution without exploiting vulnerabilities. The LOTUSLITE implant is a custom C++ backdoor that communicates with a hard-coded IP-based command-and-control server and supports basic remote command execution, file operations, and data exfiltration. While the loader and implant demonstrate limited defensive evasion and low development maturity, the targeted delivery context suggests an espionage-oriented objective rather than financial motivation. Infrastructure and tradecraft analysis shows moderate confidence in alignment with Mustang Panda, based on delivery patterns, launcher–DLL separation, infrastructure reuse, and behavioral artifacts rather than direct code reuse. LOTUSLITE establishes persistence through a ProgramData directory and a Run key registry entry, ensuring execution on user logon, and disguises its network traffic using WinHTTP with benign-looking headers and a Googlebot User-Agent. Embedded developer messages within the DLL exports referencing national identity further mirror quirks seen in prior Mustang Panda operations. Although technically unsophisticated, the campaign demonstrates how low-complexity tooling can remain effective when paired with deliberate victim selection and timely geopolitical themes. Defenders should prioritize detection of sideloading chains, anomalous persistence under ProgramData, and outbound HTTPS traffic to uncommon infrastructure masquerading as legitimate services.
UAT-8837 Conducts Targeted Intrusions Against North American Critical Infrastructure
Cisco Talos is tracking UAT-8837, a threat actor assessed with medium confidence to be a China-nexus advanced persistent threat focused on gaining initial access to high-value organizations in North America, specifically those operating in critical infrastructure as defined by CISA. The group has demonstrated a clear emphasis on critical infrastructure sectors, with intrusions characterized by opportunistic exploitation of both n-day and zero-day vulnerabilities as well as the use of compromised credentials. Most notably, Talos observed UAT-8837 exploiting the SiteCore ViewState deserialization zero-day CVE-2025-53690, suggesting access to advanced exploit capabilities. While individual intrusions may appear sporadic, the consistency in post-compromise behavior indicates a deliberate access-broker role rather than broad operational disruption. The activity aligns with strategic intelligence collection rather than financially motivated objectives. Following initial access, UAT-8837 conducts extensive hands-on keyboard operations to enumerate domains, Active Directory environments, and security configurations while establishing multiple persistence and access paths. The actor relies heavily on open-source and commodity tooling, including Earthworm for tunneling, SharpHound and Certipy for AD reconnaissance, DWAgent for remote access, and GoExec and Impacket-based utilities for lateral movement, frequently cycling tools to evade endpoint detection. Registry modifications to weaken RDP security controls, creation or modification of domain accounts, and staging of artifacts in common system directories further characterize the intrusion lifecycle. In at least one case, the actor exfiltrated proprietary DLLs tied to victim products, raising concerns around potential follow-on supply chain abuse. Defenders in critical infrastructure environments should prioritize patching internet-facing systems, monitoring for credential abuse and tunneling activity, and detecting anomalous AD reconnaissance consistent with access-oriented intrusion campaigns.
Top CVEs of the Week
Top CVEs of the Week – As part of our ongoing vulnerability monitoring, the following CVEs highlight recent security issues that could affect a range of systems, applications, and devices. These findings reflect the constantly evolving threat landscape and reinforce the importance of timely patching, secure configurations, and proactive security practices. Below is a summary of notable vulnerabilities, including their impact and any available remediation guidance.
