Security researchers have identified a new class of CI/CD vulnerability that lets attackers hijack workflows and compromise open-source supply chains. The flaw has been codenamed Cordyceps by security firm Novee Security.
The core issue is deceptively simple: weak CI/CD configurations give pull requests more permissions they should have. An untrusted PR — code from an outside contributor — can trigger privileged workflows. From there, an attacker gets command injection, privilege escalation, and full repo compromise.
“The flaw is exploitable by any unauthenticated user,” said Elad Meged, founding engineer at Novee Security. “A free account is enough to forge approvals, push code, or steal credentials.”
Novee scanned roughly 30,000 high-impact repositories and found more than 300 fully exploitable. Some of the biggest names in tech are affected.
On Microsoft Azure Sentinel, a single PR comment could run attacker-controlled code on Microsoft’s CI and steal a non-expiring GitHub App key. On Google’s AI Agent Development Kit, a crafted PR gave an attacker full authority over a Google Cloud repository. Apache Doris had two zero-click attacks — just a comment on any PR or a forked one — that exfiltrated hardcoded CI credentials. Cloudflare Workers SDK had a branch-name injection that ran arbitrary commands on their CI runners. Even the Python Software Foundation’s Black formatter was vulnerable.
Since disclosure, Microsoft and Google confirmed impact. Cloudflare, Python, and Apache have applied patches and hardening.
The bigger concern is what’s ahead. As AI coding tools become standard, these CI/CD weaknesses get reproduced at scale automatically. Novee warns that “agentic coding” will keep re-creating the same patterns, silently handing attackers the keys to the software supply chain.
