preloader

· ci-cd devops security supply-chain github github-actions infrastructure

‘Cordyceps’ CI/CD Flaw: Any GitHub Account Can Hijack Pipelines at Microsoft, Google, and Apache

Source: The Hacker News / Novee Security / Dark Reading / Hackread

Security research firm Novee Security published details on 23 June 2026 of a systemic vulnerability class affecting GitHub Actions workflows across thousands of organisations. Named Cordyceps after the parasitic fungus that hijacks its host, the flaw allows any person with a free GitHub account to trigger a chain of events that ends with full control of a target repository, including the ability to steal long-lived credentials, forge pull request approvals, and inject malicious code into official releases.

A scan of approximately 30,000 high-impact repositories identified more than 300 that are fully exploitable today. Confirmed targets include Microsoft’s Azure Sentinel repository, where a comment on a pull request was sufficient to steal a non-expiring GitHub App key, and Python’s Black formatter, where any pull request could steal the project’s bot token and create a path to poisoning official Docker images distributed to 130 million installs per month.

How Cordyceps works

The vulnerability does not exploit a bug in GitHub itself. It exploits a combination of weak CI/CD workflow configurations that are widespread and difficult to detect through normal code review.

The attack flow follows a consistent three-step pattern:

Step 1: Low-privilege trigger. An external contributor, or an attacker with only a free GitHub account, opens or comments on a pull request. This triggers a GitHub Actions workflow configured with restricted permissions, as expected for untrusted contributions.

Step 2: Workflow handoff. The output of the low-privilege workflow is passed to a second, high-privilege workflow. This second workflow is triggered by the result of the first rather than directly by the pull request, which means it runs with elevated repository or organisation permissions.

Step 3: Credential access. The high-privilege workflow authenticates to cloud environments, artifact registries, or package repositories using secrets stored in the repository’s GitHub Actions configuration. Because the attacker controls the input to this workflow via the pull request content, they control what the high-privilege context does with those credentials.

Every step in the chain appears normal in isolation. The problem is the combination: a data path from an untrusted external contributor to a privileged execution context, with no sanitisation boundary between them.

What attackers can do once in

The consequences of a successful Cordyceps exploitation depend on what secrets the high-privilege workflow holds, but confirmed impacts from the research include:

  • Theft of cloud provider credentials (AWS, Azure, GCP) stored as GitHub Actions secrets
  • Theft of package registry tokens enabling push access to npm, PyPI, or Docker Hub
  • Theft of non-expiring GitHub App keys with write access across an organisation
  • Forging pull request approvals to merge attacker-controlled code without human review
  • Injecting malicious code into official release artifacts

The credential theft paths are particularly significant for supply chain risk. A token with push access to a public package registry allows an attacker to publish a compromised version of a package to every downstream user without any further access to the upstream repository.

AI tools are amplifying the problem

One of the more unsettling findings in the Cordyceps research is the role that AI coding assistants are playing in spreading the vulnerable pattern. When developers use AI tools to generate CI/CD configuration files quickly, those tools reproduce the same insecure multi-step workflow pattern that Cordyceps exploits, because that pattern is common in the training data and looks structurally reasonable.

The result is that the same class of vulnerability is being quietly planted across potentially millions of repositories by developers who have no reason to suspect their AI-generated pipeline configuration is introducing a supply chain risk. Cordyceps may be the first documented example of an AI-accelerated vulnerability class at scale in CI/CD infrastructure.

GitHub’s response

GitHub is updating its actions/checkout action to block the class of pwn request attacks that Cordyceps exploits, with the change effective from 18 June 2026. The update adds a validation step that prevents the pattern of low-privilege trigger leading to high-privilege execution via workflow outputs.

However, the actions/checkout change addresses the most obvious exploitation path, not all variations. Novee Security notes that repositories using custom workflow logic that replicates the vulnerable pattern in other ways remain exposed even after the actions/checkout update.

How to assess your own pipelines

The Cordyceps flaw is a configuration issue, not a software bug, which means there is no patch to apply to a specific version. Remediation requires reviewing your GitHub Actions workflow files.

Workflows that warrant immediate review are those that:

  • Use pull_request_target or workflow_run triggers to handle contributions from external or forked repositories
  • Pass any data from a lower-privilege workflow into a higher-privilege context without explicit validation
  • Provide cloud credentials, registry tokens, or organisational secrets to workflows that can be triggered by external contributors

For organisations managing multiple repositories or with large GitHub organisations containing dozens or hundreds of workflow files, this is not a task that can be completed manually with confidence. Automated scanning across all .yml files in a GitHub organisation is the only practical way to identify the full exposure surface.

The fact that Microsoft, Google, Apache, and Cloudflare repositories were found to contain the pattern should serve as a calibration point: if organisations of that size and security maturity are affected, the pattern is likely present in the majority of organisations that have built CI/CD workflows incrementally over time without a dedicated security review of the pipeline configuration layer.

The European supply chain risk angle

For European organisations, Cordyceps arrives in a regulatory environment where software supply chain security is increasingly a compliance matter. The EU Cyber Resilience Act requires manufacturers of products with digital elements to address supply chain vulnerabilities and maintain secure development pipelines. A Cordyceps-style compromise of a CI/CD pipeline used for product releases could constitute a supply chain security incident with mandatory notification obligations under NIS2 if critical infrastructure is in scope.

Beyond regulatory exposure, the practical risk is concrete: a single exploited repository at a software supplier can distribute malicious code to every customer of that supplier. The Black formatter example, with 130 million installs per month, illustrates the downstream blast radius.

If you need a review of your GitHub Actions workflows and CI/CD pipeline security posture, contact Excello Digital. We help European development teams find and fix the configuration patterns that create supply chain exposure before they are exploited.

These news items are automatically aggregated from industry sources and are not individually reviewed. Any inaccuracies are unintentional — let us know and we'll correct or remove it.

Back to news

We’ll help you resolve your infrastructure challenges

Our team of experts is ready to help you with your infrastructure challenges. We’ll give you honest and personal treatment. Get in touch to learn more.

Get in touch!