A pervasive CI/CD vulnerability pattern dubbed “Cordyceps” reveals a supply chain vulnerability that lets unauthenticated attackers seize control of Git-based workflows and, by extension, the software artifacts they produce.
The issue is not a single bug in GitHub or any one tool; it is a systemic class of insecure workflow compositions. Command injection, broken authentication logic, artifact-poisoning chains, and cross-workflow privilege escalation in GitHub Actions YAMLs together form multi-step exploit paths that attackers can trigger from a free account.
Novee’s scan of roughly 30,000 high-impact repositories flagged 654 instances and validated more than 300 fully exploitable chains, with confirmed fixes from Microsoft, Google, Apache, Cloudflare, and the Python Software Foundation.
The underlying pattern can be reproduced at scale and, according to Novee, potentially affects millions of repositories.
At the heart of Cordyceps is the treatment of workflows as “configuration” rather than code. GitHub Actions files run shell commands, execute scripts, hold tokens, and publish releases, yet they commonly avoid the same security scrutiny applied to application code.
That mismatch allows seemingly innocuous workflow steps an output, artifact, or environment variable to carry untrusted data across a trust boundary into a higher-privilege workflow.
Alone each step appears benign; together they form a chain that can escalate privileges, exfiltrate credentials, forge approvals, or push malicious artifacts to package registries and container registries relied upon by downstream consumers.
Novee’s research exposed concrete, high-impact examples. In Microsoft’s Azure Sentinel content pipeline, a PR comment executed attacker code and stole a non-expiring GitHub App key, which could permit persistent write access to security content deployed into customer Sentinel workspaces.
Cordyceps Supply chain Vulnerability
Google’s AI Agent Development Kit samples contained a path where a single pull request led to code running in CI that authenticated to the associated Google Cloud project with owner-level permissions.
Apache’s Doris repository yielded two independent, zero-click attack paths capable of exfiltrating CI credentials and stealing tokens with broad write permissions across repository contents and actions.
Cloudflare’s Workers SDK allowed PR branch names to trigger arbitrary commands on CI runners.
The Python Software Foundation’s Black project showed how a malicious PR could run on build systems, take an automation token, and approve pull requests as the project bot potentially causing tainted releases that reach millions of users.
These findings illustrate why legacy tooling misses Cordyceps. Static and dynamic application scanners operate at the single-file or single-process level: they validate YAML syntax, check for known insecure patterns, and flag obvious misconfigurations.
They do not reason about cross-workflow flows or validate whether an untrusted external input can traverse several workflows to reach a high-privilege credential.
Detecting this class of vulnerability requires external attack validation that simulates attacker behavior end-to-end and proves exploitability exactly the technique Novee used when combining large-scale scanning with AI-driven validation.
Cordyceps is amplified by modern developer practices. AI coding agents and templates produce CI/CD configurations rapidly and repeatedly, propagating insecure patterns across projects and organizations.
The result is a reproducible, agentic infection model: small, repeated mistakes become exponential risk when they propagate through the open-source ecosystem.
Mitigation requires treating workflows as first-class code: enforce least privilege for tokens, validate and sanitize user-controlled inputs, isolate untrusted workflows from secrets and high-privilege outputs, and apply end-to-end testing that simulates malicious PRs and comments.
Project owners should review Novee’s disclosures and advisories and apply fixes confirmed by affected vendors.
For wider context and statistics on GitHub usage and Actions prevalence, see GitHub metrics reporting and independent analyses of Actions adoption; Novee’s technical write-up documents their scan methodology and specific vulnerability chains.
The Cordyceps story is a clear reminder that supply chain security now begins in CI/CD YAML and that defending it demands the same rigor applied to application code.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
