Cordyceps vulnerabilities have emerged as a CI/CD security issue affecting open-source repositories tied to Microsoft, Google, Apache, Cloudflare, and the Python Software Foundation.
Security firm Novee said researchers identified over 300 exploitable workflow chains during a scan of 30,000 repositories. The flaws allowed attackers to steal credentials, inject code, and compromise software supply chains by abusing gaps between GitHub Actions workflow files. Novee said all disclosed issues have been fixed.
How Cordyceps attack chains worked
Novee described Cordyceps as a vulnerability class named after the parasitic fungus that controls its host. In this case, the weakness could allow anyone with a free GitHub account to influence trusted automation inside open-source projects.
GitHub Actions workflows are used to test, build, and publish software. However, researchers said these files are often treated as configuration rather than security-critical code.
The attack path began when an external user submitted a pull request or left a comment on a public repository. A lower-privilege workflow then accepted that outside input as trusted data. That output could pass into another workflow running with elevated permissions and access to credentials.
Researchers said the second workflow could contain cloud tokens, package registry credentials, or signing keys. At that stage, an attacker could steal non-expiring tokens or gain lasting control over repository operations. Each step could appear safe alone, while the full handoff exposed the risk.
Major repositories affected by disclosures
Novee reported confirmed vulnerabilities across major organizations. Microsoft’s Azure Sentinel contained a pull request comment path that could trigger attacker code on Microsoft CI infrastructure. Researchers said it could also expose a non-expiring GitHub App key, allowing persistent write access to security detection content sent to customer Sentinel workspaces.
Google’s AI Agent Development Kit repository, with more than 9,200 GitHub stars, contained a flaw where one pull request could give an attacker the highest permission level, listed as roles/owner, on the linked Google Cloud project.
Apache’s Doris Analytics Database had two zero-click attack paths. One could let a comment on any pull request steal hardcoded CI credentials. Another could let a forked pull request steal a token with full write permissions across code, packages, and pages.
Patches completed as AI risk remains
Cloudflare’s Workers SDK, centered on the Wrangler CLI toolchain, was vulnerable to command execution through a crafted branch name. The Python Software Foundation’s Black formatter, downloaded over 130 million times, had a flaw that could expose its bot token and allow further pull request approvals.
Novee confirmed to Dark Reading that these workflow patterns were not exploited before patches were applied. Meged recommended that CISOs treat CI/CD workflow files as security-critical code, especially as AI coding agents continue reproducing insecure patterns.
