Novel GitHub Actions Attack Pattern Evades CI Security Scanners
A new attack pattern, dubbed Cordyceps, exploits GitHub Actions workflows, bypassing standard security scanners and enabling attackers to compromise high-impact repositories.

Researchers at Novee Security have disclosed a sophisticated attack pattern named Cordyceps that targets Continuous Integration and Continuous Deployment (CI/CD) pipelines, specifically leveraging GitHub Actions. This novel technique allows attackers to compromise sensitive repositories, including those managed by major tech companies like Microsoft, Google, and the Apache Software Foundation, without requiring any elevated privileges or organizational membership. The alarming aspect of this vulnerability is that it bypasses conventional security scanning tools, leaving pipelines appearing green and healthy even when actively exposed.
The core of the Cordyceps attack lies in the exploitation of specific GitHub Actions workflow triggers: pull_request_target and workflow_run. Unlike the more secure pull_request trigger, these two run within the context of the base repository, granting them access to secrets and a read-write GITHUB_TOKEN. Attackers can manipulate content within a pull request to induce these privileged workflows into executing malicious code. This is achieved through three primary mechanisms: command injection, where attacker-controlled data is directly interpolated into shell commands; code injection via actions/github-script, which evaluates attacker input as JavaScript; and cross-workflow privilege escalation, where a low-privilege workflow writes untrusted data to an artifact or output that a subsequent, high-privilege workflow then processes.
This attack vector circumvents standard security scanners because the vulnerability is not located within a single malicious file. Instead, it resides in the composition and interaction between multiple, individually valid YAML workflow files. Static and Dynamic Application Security Testing (SAST and DAST) tools typically pattern-match against individual files, failing to detect the chained exploit. As Shane Warden, Principal Architect at ActiveState, explains, "A scanner sees a workflow. An attacker sees a four-step chain to a permanent credential." This compositional vulnerability means that no single line of code is inherently wrong, leading scanners to report a false sense of security.
Novee Security demonstrated the severity of this pattern with real-world examples. In Microsoft's Azure Sentinel repository, a comment on a pull request was sufficient to execute attacker code, steal a non-expiring GitHub App key, and gain persistent write access to security content distributed to thousands of organizations. Similarly, in Google's AI Agent Development Kit sample repository, a single pull request could escalate privileges to roles/owner on the associated Google Cloud project. The Apache Software Foundation also confirmed a comparable credential theft path, which has since been patched.
The underlying issue stems from workflows being configured to implicitly trust input originating from external sources, such as pull requests from forks. This "trust boundary that no one audited" can accrete over time through seemingly innocuous commits. The rise of AI-generated workflows exacerbates this problem, as these tools can rapidly produce configurations with insecure patterns, potentially propagating mistakes across millions of repositories without clear provenance or human oversight.
This vulnerability class, Cordyceps, is particularly concerning because it does not map to a traditional CVE. This means it falls outside the standard enumeration models used by many security tools and vulnerability databases. NIST has acknowledged the increasing difficulty in enriching every CVE due to a surge in submissions, highlighting the growing challenge of tracking and mitigating novel risk patterns like Cordyceps.
While the named vendors have since implemented patches and hardened their systems, the Cordyceps pattern remains largely unaddressed by default across the broader industry. ActiveState recommends several immediate mitigation steps, including preferring pull_request over pull_request_target for untrusted contributions, avoiding checking out pull request head code within privileged workflows, passing event data through quoted environment variables, defaulting permissions to read-only, pinning third-party actions to specific commit SHAs, and gating privileged workflows with manual approval for new contributors.
Ultimately, addressing this class of vulnerability requires a shift in how CI/CD pipelines are governed. The durable control lies in establishing robust governance frameworks that can adapt to evolving threats, especially those amplified by AI-driven development. As AI continues to accelerate software supply chain complexity, organizations must proactively re-evaluate their security postures to ensure that automated processes do not inadvertently create new, hard-to-detect attack surfaces.