A newly discovered class of software supply chain vulnerabilities is turning the spotlight back on the security gaps hiding inside modern continuous integration and continuous deployment (CI/CD) pipelines. Dubbed “Cordyceps” by the researchers at AI-driven penetration testing platform Novee, this vulnerability pattern allows completely unauthenticated, outside attackers to hijack workflows and seize full control of enterprise code repositories.
The threat is far from theoretical. During their initial research, Novee discovered that Cordyceps impacts some of the largest organizations in the tech world, putting critical code repositories and downstream users at immediate risk.
What is the Cordyceps Vulnerability?
Named after the infamous parasitic fungus that takes control of its host’s body, Cordyceps targets the automated “plumbing” of open-source and proprietary code development. It is not a single flaw or a traditional software bug with a designated CVE; rather, it is a critical architectural logic flaw born from improper input handling and insecure workflow composition.
The Mechanism of the Attack
The vulnerability chain relies on crossing trust boundaries without proper validation. The exploit typically follows these steps:
The Trigger: An unauthenticated outsider (using a standard, free GitHub account) opens a malicious Pull Request (PR) or leaves a specifically crafted comment on an open repository.
The Execution: The target repository’s automated CI/CD pipeline triggers an action in response to the PR or comment.
The Privilege Escalation: Because of flawed workflow configurations, the pipeline treats the untrusted input with the elevated privileges of a project maintainer.
The Compromise: The pipeline executes the attacker’s payload inside the runner environment. Within minutes, the attacker can forge approvals, bypass branch protections, push malicious code directly into production, or exfiltrate long-lived repository secrets.
“No organization membership or special privileges are required; a free account is enough to forge approvals, push code, or steal credentials.” > — Elad Meged, Founding Engineer & Security Researcher at Novee
The AI Multiplier Effect
A major driver behind the proliferation of Cordyceps is the massive uptick in the use of AI coding agents and assistants.
While AI tools allow developers to rapidly generate CI/CD configuration files (such as GitHub Actions YAML files), they frequently copy and paste legacy, insecure boilerplate configurations. When AI agents reproduce these vulnerable workflows at scale, the same architectural mistakes compound exponentially across millions of enterprise repositories. Traditional static code analyzers and linters fail to catch Cordyceps because each individual line of code functions exactly as it was instructed; the flaw lies purely in the unsafe composition of the automation flow.
Real-World Impact and Scale
To evaluate the scope of the threat, Novee conducted a scan of 30,000 high-impact repositories. The results were alarming:
654 repositories were initially flagged as vulnerable.
Over 300 repositories were confirmed to be fully exploitable to zero-click attacker code execution, credential theft, or supply chain compromise.
High-Profile Targets Affected
The vulnerability pattern successfully compromised or threatened workflows maintained by major tech giants and open-source foundations:
Microsoft: Researchers demonstrated an attack against Microsoft’s Azure Sentinel SIEM repository. By simply leaving a comment on a pull request, they triggered anonymous attacker code inside Microsoft’s CI environment, successfully exfiltrating a non-expiring GitHub App secret key.
Google: Google’s AI Agent Development Kit was flagged and confirmed to be impacted by the vulnerable workflow pattern.
Cloudflare, Apache, and PSF: Vulnerabilities were successfully verified against Cloudflare’s Workers SDK, Apache’s Doris analytics database (which was susceptible to two separate zero-click PR attacks), and the Python Software Foundation’s code formatter, Black.
Note: According to Novee, impacted organizations like Cloudflare and Apache quickly applied hardening patches, and there is currently no evidence that malicious actors have exploited this pattern broadly at scale.
Mitigation: How to Secure CI/CD Workflows
Security leaders must stop treating CI/CD configurations as simple setup files and start viewing them as high-risk code assets. To defend pipelines against Cordyceps attacks, organizations should enforce the following practices:
Isolate Untrusted Triggers: Avoid running automated scripts with elevated repository tokens on events triggered by external forks (e.g.,
pull_request_targetin GitHub Actions) unless strict approval gates are mandated.Enforce Strict Environment Permissions: Adhere to the principle of least privilege. Configure workflow permissions explicitly to read-only (
contents: read) by default, granting write permissions only when strictly necessary.Inventory Workflow Triggers: Conduct a thorough audit of all repository automation that acts dynamically upon user inputs, comments, or external PRs.
Implement Gatekeepers: Require mandatory maintainer approval before running CI/CD pipelines on any contributions submitted by first-time or external contributors.
References
Burt, J. (2026, July 6). Novee Uncovers Cordyceps: The Latest Threat to CI/CD Pipelines. DevOps.com. https://devops.com/novee-uncovers-cordyceps-the-latest-threat-to-ci-cd-pipelines/
Shubel, M. & Rachidi, Z. (2026, July 1). Cordyceps flaw pattern is more proof CI/CD is part of the attack surface. The New Stack. https://thenewstack.io/cordyceps-cicd/
Dark Reading. (2026, June 23). ‘Cordyceps’: Malicious Pull Requests Threaten CI/CD Workflows. Dark Reading Application Security Insights. https://www.darkreading.com/application-security/cordyceps-malicious-pull-requests-developer-workflows