Cordyceps Flaw Exposes 300+ GitHub Repos to Supply Chain Hijack

Security researchers have identified a critical class of CI/CD misconfiguration affecting repositories at some of the largest technology companies in the world. The attack requires nothing more than a free GitHub account.

TL;DR

• What happened: Novee Security discovered "Cordyceps," a pattern of exploitable CI/CD weaknesses in GitHub Actions workflows
• Who's affected: 300+ high-impact repositories including Microsoft Azure Sentinel, Google's AI tools, Apache Doris, Cloudflare Workers SDK, and Python's Black formatter
• Severity: Unauthenticated attackers can forge approvals, push code, and steal credentials from CI pipelines

What Is Cordyceps?

Named after the parasitic fungus that hijacks insect behavior, Cordyceps describes a pattern where untrusted pull requests can escalate through CI/CD pipelines to gain full repository control. The vulnerability exists not in any single misconfiguration, but in how multiple weak configurations compose into exploitable attack chains.

Novee Security's research scanned approximately 30,000 high-impact repositories and found over 300 fully exploitable instances. The affected projects include infrastructure relied upon by millions of developers and production systems worldwide.

The attack surface includes command injection, broken authentication logic, artifact poisoning, and cross-workflow privilege escalation—all triggered through carefully crafted pull requests that appear benign when examined in isolation.

Confirmed Exploitation Paths

Microsoft Azure Sentinel: Comments on pull requests can execute arbitrary attacker code, extracting non-expiring GitHub App keys that provide persistent repository access.

Google AI Agent Development Kit: Crafted pull requests gain complete authority over Google Cloud repositories, enabling malicious code injection into AI tooling.

Apache Doris: Zero-click attacks via PR comments exfiltrate CI credentials and write-permission tokens without any user interaction.

Cloudflare Workers SDK: Branch names themselves execute arbitrary CI commands, bypassing typical PR-based security reviews.

Python Black: Any pull request can execute code and steal automation tokens capable of approving other pull requests—a self-propagating attack vector.

This pattern mirrors the risks we've seen in npm supply chain attacks and AUR package compromises, but at a more fundamental infrastructure level.

AI Tools Are Making It Worse

One of Novee's most concerning findings involves AI coding assistants. As developers increasingly rely on AI tools to generate GitHub Actions configurations, those tools reproduce the same insecure patterns repeatedly. The result: the same class of vulnerability being quietly planted across potentially millions of repositories.

The AI tools aren't malicious—they're simply learning from existing configurations that contain these weaknesses. But the scale of automated code generation means vulnerable patterns spread faster than ever before.

Vendor Response

Microsoft and Google confirmed the impact and are working on remediation. Cloudflare, Python Software Foundation, and Apache have already applied hardening measures and patches to their affected repositories.

Novee followed responsible disclosure practices, giving organizations time to address the issues before public release. But with over 300 affected repositories identified, many remain unpatched.

Recommended Mitigations

1. Audit GitHub Actions workflows for pull_request_target triggers and workflow_run escalations
2. Restrict PR execution - Use pull_request events instead of pull_request_target where possible
3. Implement token scoping - Minimize permissions granted to workflow tokens
4. Review artifact handling - Ensure artifacts from untrusted sources can't influence privileged workflows
5. Validate branch names - Sanitize branch name inputs before using in shell commands
6. Manual approval gates - Require human approval for workflows that access secrets or deploy code

Why This Matters

Supply chain attacks have become the preferred vector for sophisticated threat actors. Why attack one target when you can compromise the tools and infrastructure used by thousands? The Microsoft 365 Copilot vulnerability we covered last week showed how AI tooling creates new attack surfaces—Cordyceps demonstrates the same principle applied to development infrastructure.

The fix isn't complicated for individual repositories. The challenge is the sheer scale: millions of repositories, many maintained by small teams or abandoned entirely, all potentially carrying these exploitable patterns.

Organizations relying on open-source dependencies should consider additional supply chain security measures and monitor for anomalous activity in their development pipelines.

Frequently Asked Questions

Can I check if my repositories are affected? Audit any workflows using pull_request_target triggers, workflow_run event chains, or that reference external artifacts. Novee's blog includes specific patterns to search for.

Does this require write access to exploit? No. The entire attack chain can be triggered from a free GitHub account with no special permissions. Opening a pull request—something any user can do on public repositories—is sufficient.