‘Cordyceps’ CI/CD Flaw Exposes Microsoft, Google, Apache Repos to Pipeline Hijacking

Summary

Novee Security has discovered Cordyceps, a systemic CI/CD vulnerability in GitHub Actions workflows that allows unauthenticated users to poison builds and steal sensitive tokens. This flaw, which affects major projects from Microsoft, Google, and Apache, can lead to full administrative control over cloud networks by exploiting multi-step attack chains that bypass standard security scanners. The vulnerability is exacerbated by AI coding agents that perpetuate insecure configuration patterns.

Full text

Security‘Cordyceps’ CI/CD Flaw Exposes Microsoft, Google, Apache Repos to Pipeline Hijacking Novee Security reveals Cordyceps, a CI/CD vulnerability in GitHub Actions workflows that let anonymous users poison builds and expose tokens across major projects today. byDeeba AhmedJune 23, 20262 minute read Listen to this article 0:00 — ← 10s ▶ Play 10s → Speed 0.75× 1× 1.25× 1.5× 2× Voice Loading voices… Press play to start listening A major software supply chain vulnerability has been discovered across the open-source network that can allow cybercriminals to hijack build pipelines and compromise corporate networks. Cybersecurity research firm Novee discovered this structural flaw, which they named Cordyceps after a body-snatching parasitic fungus, and shared its findings with Hackread.com. According to the company, Cordyceps is a systemic class of Continuous Integration and Continuous Deployment (CI/CD) vulnerabilities, and the flaw exists within GitHub Actions workflows (specifically in .yml configuration files). Multi-Step Exploit Methods Researchers found that an unauthenticated user wouldn’t even need special organisation privileges to launch an attack because a free, anonymous online account is enough to forge approvals, inject malicious code, or steal permanent credentials. Standard automated scanners miss this risk because they only look at single files in isolation. In contrast, Cordyceps relies on multi-step exploit chains where untrusted data tricks the system by crossing a security boundary. In a hypothetical command injection and artifact poisoning attack, an unauthorised user leaves an anonymous comment or submits a malicious code update, called a pull request. A low-privilege workflow treats this input as a trusted command, running hidden code to compromise the final software package or artifact. From there, privilege escalation occurs when that tainted data flows into a high-privilege workflow and exposes high-level authentication keys. This entire process could allow an external threat actor to gain full administrative permissions over a company’s cloud network. Tech Infrastructure Exposed Novee scanned roughly 30,000 high-impact open-source repositories, flagged 654 projects in a single scan, and verified that over 300 were fully exploitable to test the risk. Novee’s security team also confirmed the flaws across major infrastructure systems, impacting companies such as Microsoft, Google, Apache, Cloudflare, and the Python Software Foundation. In one confirmed finding inside Microsoft Azure Sentinel, researchers proved that an anonymous comment on a pull request could allow an attacker to execute code and steal a non-expiring GitHub App key. This would grant write access to security content deployed directly to customer workspaces via the Azure Marketplace. Similarly, researchers targeted Google’s AI Agent Development Kit sample repository (adk-samples), where a single malicious pull request was shown to grant full ownership roles (roles/owner) over the associated Google Cloud project. Further investigation, as per Novee’s blog post, published today, revealed that an attacker could also run unauthorized commands on Cloudflare’s Workers SDK toolchain (using the Wrangler CLI tool), steal saved login credentials from the Apache Doris database, and snatch automation tokens from Black- a popular Python code tool that handles 130 million downloads a month. All tested vulnerabilities have since been reported and fixed. Researchers noted that such flaws are rapidly rising because while AI coding agents are generating configuration files at an exponential pace, these persistently reproduce the same insecure structural patterns, thus multiplying the vulnerability across millions of untested repositories. Since anonymous users can exploit these flawed pipelines to manipulate major corporate platforms without authorization, researchers described the risk as “puppeteering the repositories of some of the world’s biggest companies, silently manipulating their workflows.” Photo by Steve A Johnson on Unsplash Deeba Ahmed Deeba is a veteran cybersecurity reporter at Hackread.com with over a decade of experience covering cybercrime, vulnerabilities, and security events. Her expertise and in-depth analysis make her a key contributor to the platform’s trusted coverage. View Posts CI/CDCordycepsCybersecurityGitHubNoveeSupply ChainVulnerability Leave a Reply Cancel reply View Comments (0) Related Posts Security Cyber Attacks DDoS Attacks Hit Denmark Central Bank and 7 Private Banks Along with the websites of the central bank, Bankdata—a company that develops IT solutions for the financial industry—was also targeted by a DDoS attack. byHabiba Rashid Security You are not alone, WhatsApp is down for many If you are wondering why your WhatsApp is down, don’t worry, you are not alone the messaging service is down… byCarolina Security Pop Culture Passwords Most Likely to Get You Hacked, New Study Is your password “Superman” or “Blink-182”? Millions are using these pop-culture favorites, making them easy targets for hackers.… byDeeba Ahmed Read More Security Cyber Attacks Chinese APT Phantom Taurus Targeted MS Exchange Servers Over 3 Years Cybersecurity researchers at Palo Alto Networks' Unit 42 say Chinese APT Phantom Taurus breached Microsoft Exchange servers for years using a backdoor to spy on diplomats and defense data. byWaqas

Entities