Cordyceps: CI/CD Workflow Vulnerability Pattern Exposes 300+ Open-Source Repositories to Attacker-Controlled Code Execution (June 23, 2026)
Date: 2026-06-30
Tags: supply-chain, prompt-injection
Executive Summary
Novee's research team discovered Cordyceps, a critical supply chain flaw hiding in plain sight, impacting code repositories at thousands of organizations, including Microsoft, Google, Apache, and Cloudflare, identifying a systemic class of exploitable CI/CD vulnerabilities across the open-source supply chain – command injection, broken authentication logic, artifact poisoning chains, and privilege escalation in GitHub Actions workflows, with the team scanning roughly 30,000 high-impact repositories, validating hundreds of fully exploitable attack chains, and receiving confirmation of fixes at dozens of organizations. The issue can allow full attacker control of repositories at dozens of the largest organizations worldwide, including Microsoft, Google, Apache, and Cloudflare, with the flaw being exploitable by any unauthenticated user requiring no org membership or special privileges, where a free account is enough to forge approvals, push code, or steal credentials, and the penetration-testing company's scan of about 30,000 high-impact repositories revealing more than 300 to be fully exploitable, enabling attacker-controlled code execution, credential theft, and supply chain compromise.
Campaign Summary
| Field | Detail |
|---|---|
| Campaign / Malware | Cordyceps (Named Research Finding, not CVE) |
| Attribution | Systemic architectural pattern; no single threat actor attributed; amplified by AI coding agents auto-generating vulnerable configurations (confidence: none) |
| Target | Open-source projects across npm, PyPI, crates, Go ecosystems; critical infrastructure dependencies (Microsoft, Google, Apache, Cloudflare, Python Software Foundation) |
| Vector | Malicious pull requests exploiting untrusted data crossing unaudited trust boundaries in GitHub Actions workflows (pull_request_target misconfiguration) |
| Status | active |
| First Observed | 2026-06-23 |
Detailed Findings
Novee identified a systemic class of exploitable CI/CD vulnerabilities across the open-source supply chain – command injection, broken authentication logic, artifact poisoning chains, and privilege escalation in GitHub Actions workflows, scanning roughly 30,000 high-impact repositories, validating hundreds of fully exploitable attack chains, and receiving confirmation of fixes at dozens of organizations including Microsoft, Google, Apache, Cloudflare, and the Python Software Foundation, with millions of repositories potentially affected by this same pattern. The nature of agentic coding means these CI/CD vulnerabilities are reproduced persistently, at scale, 'infecting' repositories at an exponential rate. This supply chain vulnerability lies in the foundational open source plumbing the entire industry runs on, and the kind of issue that hides from scanners because, technically, every individual piece is working as designed; the workflow does what it was told, and the vulnerability exists only in the composition — untrusted data crossing a trust boundary that no one audited. On Microsoft's Azure Sentinel, for example, Novee found a comment on a PR that could run anonymous attacker code on Microsoft's CI and steal a non-expiring GitHub App key, and similarly on Google's AI Agent Development Kit ('adk-samples'), a PR on Google's CI could execute attacker code to gain complete authority over a Google Cloud repository.
MITRE ATT&CK Mapping
| Technique | ID | Context |
|---|---|---|
| CI/CD Pipeline Manipulation | T1554 | Untrusted pull request data (comments, branch names, titles) flows into high-privilege GitHub Actions workflows without sanitization |
| Code Injection | T1059.007 | Command injection via interpolation of untrusted PR metadata into shell commands within workflow YAML |
| Privilege Escalation via Environment | T1548 | Pull request context grants access to GITHUB_TOKEN and cloud provider credentials with unintended privileges |
IOCs
Domains
_Not a single CVE or IOC set; rather a class pattern affecting 654 flagged repositories, 300+ confirmed exploitable chains. Specific vulnerable repos: Microsoft Azure Sentinel, Google adk-samples, Apache Doris, Cloudflare Workers SDK, Python Black formatter_
Full URL Paths
https://novee.security/blog/cordyceps/Splunk Format
"https://novee.security/blog/cordyceps/"Affected Platforms
GitHub Actions
Microsoft Azure Sentinel
Google Cloud Platform
Apache Doris
Cloudflare Workers SDK
Python Software Foundation (Black formatter)
npm, PyPI, crates, Go ecosystemsDetection Recommendations
Audit all GitHub Actions workflows for pull_request_target usage; never interpolate PR metadata (event.pull_request.title, event.pull_request.body, github.event.comment.body) directly into shell commands; use allowed_non_write_users guard or require explicit maintainer approval; pin all GitHub Actions to commit SHAs (not mutable tags); implement SLSA level 3+ provenance checks; use repository-level branch protection rules requiring code review before merge; scan workflow YAML for interpolation of untrusted variables; enable GitHub's native 'Read repository contents permission' restrictions; monitor for anomalous token usage patterns in CI logs; run agentic code generators with explicit security templates and guardrails that forbid pull_request_target workflows.
References
- [Novee Security] Cordyceps: The Silent Parasite Consuming Your Supply Chain (2026-06-23) — https://novee.security/blog/cordyceps/
- [The Hacker News] Cordyceps CI/CD Flaws Expose 300+ GitHub Repositories to Supply-Chain Attacks (2026-06-24) — https://thehackernews.com/2026/06/cordyceps-cicd-flaws-expose-300-github.html
- [Dark Reading] Cordyceps: Malicious Pull Requests Threaten CI/CD Workflows (2026-06-23) — https://www.darkreading.com/application-security/cordyceps-malicious-pull-requests-developer-workflows
- [Hive Security] Cordyceps and GitHub Actions: When CI/CD Trust Boundaries Become the Supply Chain Attack (2026-06-24) — https://hivesecurity.gitlab.io/blog/cordyceps-github-actions-supply-chain-attack/