[rusteh1]

I'm not a git expert, but how was the attacker able to push the stability branch directly to the Amazon owned repo? The PR would have been to merge the modified branch to main right?

[shdjhdfh]

My guess is that skywhopper is correct. We're only able to see the tail end of the attack, but the repo was likely compromised in some way.

[wunderwuzzi23]

AWS issued a post and they talk about revoking and replacing a credential.

So maybe the hacker was able to directly push?

https://aws.amazon.com/security/security-bulletins/AWS-2025-...

[unitof]

Joseph's 404 article quotes the hacker as saying they "got admin privileges on a silver platter," so I think this is it: first part of the breach was gaining the GitHub permission to create a branch. Possibly just by asking.