A newly discovered supply chain flaw is putting thousands of organizations at serious risk.
Named Cordyceps after the parasitic fungus known for taking over its hosts, this critical vulnerability quietly burrows into software development pipelines and gives attackers full control of code repositories at some of the biggest companies in the world.
The flaw targets CI/CD workflows, the automated pipelines developers use to build, test, and release software.
These workflows run shell commands, hold signing keys, authenticate to cloud providers, and publish releases. Yet they are widely treated as simple configuration files rather than security-critical code. That gap in perception is exactly what Cordyceps exploits.
Researchers at Novee identified this systemic class of exploitable vulnerabilities across the open-source supply chain, noting patterns of command injection, broken authentication logic, artifact poisoning chains, and privilege escalation in GitHub Actions workflows.
Novee said in a report shared with Cyber Security News (CSN) that the team scanned roughly 30,000 high-impact repositories and confirmed hundreds of fully exploitable attack chains.
What makes this discovery alarming is not just the technical depth of the flaw, but its accessibility. Any person with a free GitHub account can exploit it without needing special privileges or organizational membership.
A single pull request, or even a comment on one, can be enough to trigger the chain and hand an outsider full control of a project’s build pipeline.
The downstream reach is enormous. When one compromised repository supplies software that thousands of organizations depend on, a single attack can ripple outward into banks, cloud environments, AI labs, and end-user devices.
Fixes have been confirmed at major organizations including Microsoft, Google, Apache, Cloudflare, and the Python Software Foundation.
Cordyceps Supply Chain Flaw
The most dangerous aspect of Cordyceps is how it hides in plain sight. The exploit chains are multi-step, meaning no single piece looks dangerous on its own.
An untrusted pull request triggers a low-privilege workflow, whose output flows into a high-privilege workflow, which then authenticates to a cloud environment with the highest possible permissions.
Every step appears normal, but the combination creates a clear path to full control. This is what makes the vulnerability so hard to catch with traditional security scanners.
Standard tools check single files for known patterns, but the risk in Cordyceps only exists in how multiple workflows interact with each other. A scanner sees valid YAML configuration. An attacker sees a four-step chain leading to permanent credential access.
Novee confirmed that over 300 repositories were fully exploitable. In Microsoft’s Azure Sentinel, a comment on a pull request was enough for an attacker to steal a non-expiring GitHub App key.
For Google’s AI Agent Development Kit, a single pull request could hand an attacker the highest Google Cloud role. In Apache’s Doris, two zero-click attack paths were confirmed, both leading to credential theft and direct code modification rights.
AI Is Compounding the Problem at Scale
One of the most troubling findings in the Cordyceps research is the role AI coding agents are playing in spreading the flaw.
As developers rely more heavily on AI tools to generate CI/CD configuration files quickly, those tools reproduce the same insecure patterns over and over. The result is the same class of vulnerability being quietly planted across potentially millions of repositories.
Novee’s team pulled data across the npm, PyPI, crates, and Go ecosystems and flagged 654 repositories in a single scan.
The proven impact covered the full build and release pipeline, touching everything from code pushes to protected branches to credential theft across AWS, GCP, and Netlify.
Organizations that run software on GitHub or depend on open-source projects that do are urged to assess their exposure. The fix, once identified, is straightforward.
Security teams should treat workflow code with the same rigor as application code, conduct cross-workflow audits, and ensure that trust boundaries between low-privilege and high-privilege workflows cannot be crossed by untrusted inputs like pull request titles, branch names, or comment bodies.
