Cordyceps Supply Chain Flaw Exploits GitHub Actions to Hijack Code Repositories at Scale

Researchers at Novee have uncovered a systemic supply-chain vulnerability class dubbed Cordyceps that exploits weaknesses in GitHub Actions CI/CD workflows. The flaw enables unauthenticated attackers to chain together command injection, broken authentication, and artifact poisoning steps through a single pull request or comment, ultimately gaining full control over code repositories. Novee scanned roughly 30,000 high-impact repositories and confirmed over 300 fully exploitable attack chains, including incidents at major organizations such as Microsoft Azure Sentinel, Google's AI Agent Development Kit, and Apache Doris.

The vulnerability class targets the automated pipelines developers use to build, test, and release software. These workflows often run shell commands, hold signing keys, authenticate to cloud providers, and publish releases, yet they are frequently treated as simple configuration files rather than security-critical code. Cordyceps exploits this gap by using multi-step chains where no single step appears dangerous on its own. An untrusted pull request triggers a low-privilege workflow, whose output flows into a high-privilege workflow, which then authenticates to a cloud environment with the highest permissions.

What makes Cordyceps particularly alarming is its accessibility. Any person with a free GitHub account can exploit it without needing special privileges or organizational membership. A single pull request, or even a comment on one, can be enough to trigger the chain and hand an outsider full control of a project's build pipeline. The downstream reach is enormous: when one compromised repository supplies software that thousands of organizations depend on, a single attack can ripple outward into banks, cloud environments, AI labs, and end-user devices.

Novee confirmed specific exploitable chains at major organizations. In Microsoft's Azure Sentinel, a comment on a pull request was enough for an attacker to steal a non-expiring GitHub App key. For Google's AI Agent Development Kit, a single pull request could hand an attacker the highest Google Cloud role. In Apache's Doris, two zero-click attack paths were confirmed, both leading to credential theft and direct code modification rights. Fixes have been deployed at Microsoft, Google, Apache, Cloudflare, and the Python Software Foundation.

One of the most troubling findings in the Cordyceps research is the role AI coding agents are playing in spreading the flaw. As developers rely more heavily on AI tools to generate CI/CD configuration files quickly, those tools reproduce the same insecure patterns over and over. The result is the same class of vulnerability being quietly planted across potentially millions of repositories. Novee's team pulled data across the npm, PyPI, crates, and Go ecosystems and flagged 654 repositories in a single scan.

The proven impact covered the full build and release pipeline, touching everything from code pushes to protected branches to credential theft across AWS, GCP, and Netlify. Organizations that run software on GitHub or depend on open-source projects that do are urged to assess their exposure. The fix, once identified, is straightforward: security teams should treat workflow code with the same rigor as application code, conduct cross-workflow audits, and ensure that trust boundaries between low-privilege and high-privilege workflows cannot be crossed by untrusted inputs like pull request titles, branch names, or comment bodies.

Cordyceps represents a significant evolution in supply-chain attacks, moving beyond package-level compromises to target the very pipelines that build and release software. As CI/CD workflows become more complex and AI-generated, the attack surface will only grow. The discovery underscores the urgent need for the industry to treat pipeline configuration as security-critical code and to implement automated cross-workflow analysis to detect these hidden chains before attackers do.