The vulnerability in AWS CodeBuild arises when a source code repository is configured to trigger builds based on pull requests or other actions from untrusted contributors. In such cases, an attacker can submit a pull request containing arbitrary code, which is then executed in the build environment. This allows the attacker to dump the environment's memory and extract sensitive secrets, such as credentials. A similar memory-dumping technique was previously observed in a supply chain attack involving GitHub Actions and the tj-actions/changed-files workflow.
In this incident, the attacker used the vulnerability to obtain credentials from a CodeBuild environment and leveraged them to inject malicious code into the Amazon Q Developer Extension for Visual Studio. Although the code failed to execute as intended, it was designed to delete all files on systems where the extension was installed. Users of the Amazon Q extension should ensure they are using version 1.85.0 or later, which removes the malicious code and addresses the issue.