Cordyceps flaws let anyone with a free GitHub account hijack CI/CD pipelines at Microsoft, Google, and Apache

Security firm Novee has revealed Cordyceps as a class of exploitable CI/CD vulnerabilities across open-source repositories that allowed attackers to steal credentials, push malicious code, and compromise operations at some of the world’s largest software organizations.

These vulnerabilities have been found across repositories belonging to Microsoft, Google, Apache, Cloudflare, and the Python Software Foundation, which the firms have also claimed to have fixed. 

What is the Cordyceps vulnerability? 

The security firm Novee has uncovered a dangerous new class of vulnerabilities in CI/CD pipelines that it refers to as “Cordyceps.” The name “Cordyceps” comes from a parasitic fungus that takes over its host, as this flaw lets anyone with a free GitHub account take control of popular open-source projects. 

The vulnerabilities were discovered across repositories belonging to Microsoft, Google, Apache, Cloudflare, and the Python Software Foundation. A single scan of 30,000 repositories revealed 300 fully exploitable attack chains. 

Attackers are able to steal credentials, inject malicious code, and compromise software supply chains through these vulnerabilities. The issues have been fixed, but researchers warn that AI coding assistants will keep reproducing them across millions of repositories. 

GitHub Actions workflows handle important tasks like running tests, building software, and publishing releases, but they are often treated as simple configuration files rather than security-critical code. 

The attack chain usually begins when an outsider, which can be anyone with a free GitHub account, submits a pull request or leaves a comment on a public repository. A low-privilege workflow that accepts the outsider’s input as if it were trusted data is then activated.

From there, the output flows into a second workflow that runs with elevated permissions. This second workflow might hold cloud provider authentication tokens, package registry credentials, or signing keys. And at this point, the attacker can either steal non-expiring tokens or permanently compromise the repository. 

According to security researchers, every individual step in these chains can pass a security audit on its own. The vulnerability only appears when someone traces the path of untrusted data across the full sequence of workflow handoffs. 

Which major companies were affected by the vulnerability?

Novee found and reported confirmed vulnerabilities at some of the world’s largest technology organizations. 

Microsoft’s Azure Sentinel, for instance, contained a pull request comment that could trigger attacker code execution on Microsoft’s CI infrastructure and steal a non-expiring GitHub App key. This key would have granted persistent write access to security detection content that Microsoft distributes to customer Sentinel workspaces.

Google’s AI Agent Development Kit repository, with over 9,200 GitHub stars, had a flaw in which a single pull request could let an attacker gain the highest permission level (roles/owner) on the associated Google Cloud project. 

In Apache’s Doris Analytics Database, researchers found two zero-click attack paths. One allowed a comment on any pull request to steal hardcoded CI credentials, while the other let a forked pull request steal a token with full write permissions across code, packages, and pages. 

Cloudflare’s Workers SDK, built around the Wrangler CLI toolchain, was vulnerable to arbitrary command execution triggered by a specially crafted branch name. 

The Python Software Foundation’s Black code formatter, which has over 130 million downloads, had a flaw where any pull request could steal the project’s automation bot token, which could then approve further pull requests.

Novee confirmed to Dark Reading that none of these workflow patterns were exploited before patches were applied. 

Meged recommends that CISOs treat CI/CD workflow files as security-critical code.

The smartest crypto minds already read our newsletter. Want in? Join them.