← Back to blog

Cordyceps CI/CD Flaws Put 300+ GitHub Repos at Supply-Chain Risk

Researchers have identified a critical CI/CD workflow vulnerability pattern affecting major organizations like Microsoft and Google. The Cordyceps flaw enables attackers to hijack repositories and compromise open-source supply chains at scale.

TL;DR

  • Cordyceps is a new class of CI/CD workflow weakness discovered by Novee Security affecting 300+ GitHub repositories
  • The vulnerability allows full attacker control of repositories at major organizations including Microsoft, Google, and Apache
  • Exploitation enables supply-chain attacks by hijacking CI/CD workflows to inject malicious code into open-source projects
  • The flaw represents a critical risk to software development pipelines and downstream consumers of affected libraries

Cybersecurity researchers at Novee Security have disclosed a critical vulnerability class in CI/CD workflows that poses significant supply-chain risks. Codenamed Cordyceps, this exploitable pattern affects over 300 GitHub repositories across dozens of major organizations worldwide, including Microsoft, Google, and Apache.

The vulnerability allows attackers to gain full control of affected repositories by hijacking CI/CD workflows. This capability enables threat actors to inject malicious code into open-source projects, potentially compromising downstream consumers and amplifying the blast radius of attacks across the software ecosystem.

The discovery highlights the growing importance of securing CI/CD pipelines as attackers increasingly target automation workflows as entry points for supply-chain compromise.

Cordyceps Vulnerability Overview

  • Cordyceps represents a critical exploitable pattern in CI/CD workflow configurations
  • The flaw affects 300+ GitHub repositories across major technology organizations
  • Vulnerable organizations include Microsoft, Google, Apache, and other industry leaders
  • The vulnerability enables complete repository hijacking and workflow manipulation

Supply-Chain Attack Implications

  • Attackers can inject malicious code into open-source projects via compromised CI/CD workflows
  • Compromised repositories can distribute tainted software to downstream consumers and dependencies
  • The attack vector amplifies impact across the software supply chain ecosystem
  • Organizations using affected open-source libraries face indirect compromise risks
  • Supply-chain attacks via CI/CD represent an emerging threat vector requiring immediate remediation

Recommendations for Development Teams

  • Audit CI/CD workflow configurations for Cordyceps-related patterns and misconfigurations
  • Implement principle of least privilege for workflow permissions and repository access
  • Enable branch protection rules and require code review for workflow file changes
  • Monitor for unauthorized workflow modifications and suspicious automation activity
  • Apply security controls to prevent untrusted input from influencing CI/CD execution paths

Sources

Sources

Security email updates

One digest email when we publish new security articles (TL;DR plus links to read more). Unsubscribe anytime from the message footer. See our Privacy Policy.

Cordyceps CI/CD Flaws Put 300+ GitHub Repos at Supply-Chain Risk — Agent Breach Blog | Agent Breach