On 24 June 2026, Elad Meged, security researcher and co-founder of Novee Security, published the full analysis of Cordyceps: a systemic class of vulnerabilities in GitHub Actions workflows that allows any user with a free GitHub account, without special permissions or membership in any organisation, to hijack CI/CD pipelines, steal permanent credentials and compromise the software supply chain of organisations that depend on those repositories. The name is a direct reference to the parasitic fungus Cordyceps, known for infecting its host, taking control of its behaviour and reproducing at its expense: exactly what this vulnerability class does to development workflows. Novee scanned approximately 30,000 high-impact repositories and confirmed more than 300 fully exploitable, including projects at Microsoft, Google, Apache, Cloudflare and the Python Software Foundation. It is not a CVE assigned to a single tool: it is a pattern of insecure composition in CI/CD configuration code that traditional scanners cannot detect because, technically, every individual file is working as designed.

What is Cordyceps and what has Novee Security's research revealed?

Facts documented by Novee Security, The Hacker News, Dark Reading, Security Boulevard, GBHackers and Hackread:

  • A vulnerability class, not a single CVE. Cordyceps describes a systemic pattern of vulnerabilities in GitHub Actions workflows combining command injection, broken authentication logic, artifact poisoning chains and cross-workflow privilege escalation. The problem does not reside in a single file: it exists in the composition of multiple workflows that create insecure trust boundaries that no scanner audits end-to-end.
  • Exploitable by any free GitHub account. The pattern can be triggered by an unauthenticated user with a free account. No org membership. No prior privileges. A simple pull request comment or a specially crafted branch name can trigger the full exploitation chain.
  • Confirmed scale. Of the 30,000 repositories scanned, 654 were flagged as potentially exploitable in a single automated pass, and more than 300 were confirmed fully exploitable with attacker-controlled code execution, credential theft or direct software supply chain compromise.
  • Microsoft, Google, Apache, Cloudflare and the Python Software Foundation confirmed impact. All vulnerabilities were responsibly disclosed to affected parties before publication. Microsoft and Google confirmed impact. Cloudflare and Apache applied hardening and fixes. Novee confirms no evidence of broad exploitation in production before the patches.
  • AI coding agents amplify the problem. Novee warns that AI agents generating CI/CD configurations at speed reproduce the same insecure patterns repeatedly across millions of repositories, exponentially multiplying risk. This is the same pattern the NCSC described two days earlier in its warning about vibe coding.
  • GitHub acted in parallel. On 18 June, GitHub updated its official actions/checkout action to block by default the most common pwn request patterns in pull_request_target workflows, reducing part of the attack surface Cordyceps exploits. The backport to all supported versions is scheduled for 16 July.

Why Cordyceps is different from a conventional vulnerability

Understanding why Cordyceps is hard to detect and remediate requires understanding that CI/CD configuration files (.yml files in GitHub Actions) are not passive: they are executable code that runs shell commands, manages signing keys, authenticates against cloud providers and publishes releases. Yet most teams treat them as simple configuration files, not security-critical code. Three characteristics make Cordyceps especially dangerous:

  1. The risk exists only in the composition, not in individual files. A security scanner reads a valid YAML file and considers it correct. An attacker reads that same file and identifies a four-step chain to permanent cloud credentials. The vulnerability is not in any individual step: it is in how the output of a low-privilege workflow flows into a high-privilege workflow whose token authenticates against a cloud provider with owner-level permissions.
  2. Workflows have access to very high-value assets. In many organisations, CI/CD pipelines have access to code signing keys, package registry publishing tokens (npm, PyPI, Docker Hub), cloud provider API keys, deployment secrets and production SSH keys. A compromised pipeline does not just give access to the repository: it gives access to everything the pipeline touches during execution.
  3. The impact is supply chain, not just repository. In the Python Software Foundation case, exploiting Cordyceps allowed stealing the Black formatter's bot token (130 million monthly installs) to forge PR approvals and create a downstream path to poisoning official Docker images. Any organisation that installs that package downstream becomes a potential victim without having done anything wrong.

The documented attacks: Microsoft, Google, Apache, Cloudflare and Python

  • Microsoft Azure Sentinel: a pull request comment executed attacker code on Microsoft's CI infrastructure and stole a non-expiring GitHub App key, granting persistent write access to security detection content deployed directly into customer Sentinel workspaces.
  • Google AI Agent Development Kit (adk-samples): a single pull request executed attacker code on Google's CI and granted authenticated control over the associated Google Cloud project at the highest available role (roles/owner).
  • Apache Doris: two zero-click attack vectors confirmed. A simple comment on any PR, or a PR from a fork, triggered the chain and resulted in theft of hardcoded CI credentials or a token with full write permissions over the repository.
  • Cloudflare Workers SDK: a specially crafted branch name triggered arbitrary command execution on Cloudflare's CI runners.
  • Python Black (130 million installs/month): any pull request could steal the project's bot token, enabling PR approval forgery and creating a downstream path to poisoning official Docker images.

How the Cordyceps exploitation chain works

  1. The attacker creates a pull request or comment from a free account. No org membership or special permissions required. The PR can be from a fork or simply a comment on an existing PR.
  2. A low-privilege workflow processes the untrusted input. The workflow is configured to run automatic actions when a PR or comment arrives. The configuration does not correctly validate that the input is not malicious before passing it to the next pipeline steps.
  3. The low-privilege workflow output crosses a trust boundary into a high-privilege workflow. The result (an artifact, environment variable or identifier) of the first workflow becomes input for the second, which has much higher permissions. No intermediate control verifies that input has not been tampered with.
  4. The high-privilege workflow executes the attacker payload with its credentials. With owner-level permissions over the repository or cloud project, the attacker can publish malicious packages, modify source code, steal all workflow secrets, or deploy backdoors into connected systems.

Key lessons and mitigation checklist for development teams

  • Treat CI/CD configuration files as security-critical code, not passive infrastructure. GitHub Actions .yml files deserve the same level of code review and security auditing as application code. Include them explicitly in the Pull Request review process and SAST tooling.
  • Audit all workflows for untrusted inputs interpolated directly into shell commands. Building shell commands with variables derived directly from PR titles, bodies or branch names is the most common command injection pattern in Cordyceps. Look for patterns like run: echo ${{ github.event.pull_request.title }} or similar constructions.
  • Validate that trust boundaries between workflows are explicit and audited. If a low-privilege workflow passes output to a high-privilege workflow, that transfer point must be treated as a security boundary: output must be sanitised or validated before being consumed by the privileged workflow.
  • Update actions/checkout to the latest version. GitHub acted on 18 June by updating its official action to block by default the most common pwn request patterns in pull_request_target workflows.
  • Rotate all tokens and credentials stored as GitHub Actions secrets if there is no certainty that workflows have been correctly isolated since creation.
  • Include CI/CD auditing in pentesting scope. Static scanners do not detect Cordyceps because the risk exists in workflow composition, not individual files. It requires reasoning about cross-workflow trust chains, something only manual review or external attack validation tools can verify.

Cybersecurity as a strategic priority

Cordyceps is the culmination of three warnings the Apolo blog has documented this June. On 8 June we analysed how an AI agent in Claude Code's official GitHub Action could steal CI/CD secrets via prompt injection. On 23 June we covered the NCSC warning about how AI agents generating CI/CD configurations reproduce insecure patterns at scale. Cordyceps is the concrete, scaled manifestation of that chain: the same automation that accelerates development and that AI agents generate without supervision creates unaudited trust boundaries that any user with a free GitHub account can exploit. For Spanish organisations with CI/CD pipelines on GitHub, today's question is not whether they have any of the technologies affected by Cordyceps: it is whether their security teams audit GitHub Actions .yml files with the same rigour with which they audit application code.

Apolo Cybersecurity: CI/CD pipeline security audit and GitHub Actions review for Cordyceps

At Apolo Cybersecurity we help organisations assess their CI/CD pipeline exposure to the vulnerability class documented by Cordyceps: identification of untrusted inputs interpolated in shell commands in GitHub Actions workflows, audit of trust boundaries between workflows at different privilege levels, actions/checkout update status review, rotation of credentials and secrets stored in GitHub Actions, and integration of CI/CD security review into the development and pentesting process.

If your organisation has CI/CD pipelines on GitHub and GitHub Actions .yml files are not reviewed with the same security controls as application code, the Cordyceps research is the signal to incorporate that review.

__wf_reserved_inherit
Prev Post
Next Post

Any questions?
We're happy to help!

CONTACT US TODAY!
info@apolocybersecurity.com
Responsable: Apolo Analytics S.L.
Finalidad: Responder a tu mensaje y almacenaje en base de datos para gestionar tu solicitud.
Legitimación: Consentimiento del interesado al enviar el formulario.
Destinatarios: No se cederán datos a terceros, salvo obligación legal.
Derechos: Puedes ejercer tus derechos de acceso, rectificación y supresión, entre otros, enviando un correo a secretaria@apolocybersecurity.Com.
Información adicional: Puedes consultar la información completa en nuestra Política de Privacidad.

¡Gracias !

Su mensaje a sido recibido correctamente.
Oops! Algo a ido mal a la jora de enviar el formulario.
te esperamos!
Schedule a call
Project photo
Send us an email
Project photo
+34 937948378
Project photo
Carrer 27 del BZ, 10–16, Sector BZ Zona Franca, 08040 Barcelona
Project photo
FAQScontactTERMS AND CONDITIONSWork with Us
Accelerated by:
Certifications:
Light Eyes is part of Apolo Cybersecurity
LEGAL NOTICEPRIVACY POLICYCookiesinformation security policy
Privacy Settings
Copyright © 2025 Apollo Cybersecurity