Cordyceps Flaw Exposes 300+ GitHub Repos at Microsoft, Google, and Apache to Supply Chain Attacks

Security researchers at Novee Security have disclosed a systemic class of CI/CD workflow vulnerabilities — dubbed Cordyceps — that expose more than 300 GitHub repositories to supply chain attacks. Affected organizations include Microsoft, Google, Apache, Cloudflare, the Python Software Foundation, LLVM, and OpenHands. No organizational access is required: a free GitHub account is sufficient to exploit vulnerable repositories.

The vulnerability was named after the parasitic fungus known for hijacking its hosts. Like the fungus, Cordyceps quietly embeds itself in software development pipelines and grants attackers control over code that ultimately ships to end users.

How the Attack Works

The root cause is misconfigured GitHub Actions workflows that grant pull requests more permissions than they should. When maintainers allow pull_request_target or similar triggers without restricting secrets access, any external contributor can open a PR that runs workflow jobs with full repository permissions — including the ability to push code, read CI credentials, and publish to package registries.

Novee identified four distinct attack patterns across the affected repositories: command injection (where attacker-controlled input such as branch names or PR titles is interpolated directly into shell commands), code injection (untrusted data evaluated at runtime in JavaScript workflows), broken authorization logic that fails silently, and cross-workflow privilege escalation where a low-privilege workflow's output flows into a high-privilege one.

Scale of Exposure

The firm's scan of approximately 30,000 high-impact repositories flagged 654 for further review and confirmed more than 300 as fully exploitable — meaning an attacker could execute arbitrary code in the CI environment, steal credentials, and tamper with packages published to npm, PyPI, Rust crates, or Go modules.

Specific confirmed targets include Microsoft's Azure Sentinel SIEM, Google's AI Agent Development Kit sample repositories, Apache Doris (an analytics database), Cloudflare's Workers SDK and Wrangler CLI, and Python's Black code formatter. Researchers warn the underlying patterns are being reproduced at scale by AI-assisted coding tools, potentially affecting millions of repositories beyond those already identified.

Implications for Open-Source Security

Supply chain attacks have become one of the most consequential threat vectors in software security since the SolarWinds and XZ Utils incidents. Cordyceps demonstrates that the attack surface is not limited to malicious maintainers or compromised packages — misconfigured automation pipelines at the world's most sophisticated engineering organizations create the same end result.

Novee describes the fix as "straightforward once you know where to look," but that's cold comfort for the thousands of projects that don't yet know they're exposed. Organizations using GitHub Actions should audit their workflow trigger permissions immediately, restrict secrets access to trusted contexts, and review any workflow that runs on untrusted pull request events, as reported by The Hacker News.