Emerging ThreatsSupply Chain Attacks

Cordyceps Flaws Compromise 300+ GitHub Repositories

Analyst 207||Source: TheHackerNews
Dimly lit workspace with scattered notes and empty coffee cups, hinting at unease.

"The flaw is exploitable by any unauthenticated user," Elad Meged, founding engineer and security researcher at Novee Security, said.

That blunt assessment sits at the center of a new disclosure from Novee Security that identifies a class of CI/CD workflow weaknesses codenamed "Cordyceps." According to the company's research, the pattern lets unauthenticated actors hijack continuous integration and delivery pipelines, enabling attacker-controlled code execution, credential theft, and broad open-source supply-chain compromise. A scan of about 30,000 high-impact repositories found more than 300 that Novee describes as fully exploitable.

Novee Security's Cordyceps discovery

Novee calls Cordyceps a "critical exploitable pattern" rooted in CI/CD configurations that inadvertently grant pull requests (PRs) higher privileges than intended. The company warns the issues are not single, obvious coding errors but the result of components working "as designed" while their composition creates a dangerous trust boundary. Novee's characterization stresses that the vulnerability is accessible to anyone with a free account and no special privileges.

How pull requests can cross trust boundaries

At the heart of Cordyceps is the way untrusted PRs can trigger privileged workflows. Novee explains, "This supply chain vulnerability lies in the foundational open-source plumbing the entire industry runs on, and the kind of issue that hides from scanners because, technically, every individual piece is working as designed." In practice, an untrusted PR can cause command injection, privilege escalation, or exfiltration of secrets when a CI/CD pipeline treats externally supplied data as trusted input.

Concrete, named examples and attack vectors

  • Microsoft Azure Sentinel: Novee reported a PR comment that could run anonymous attacker code on Microsoft's CI and steal a non-expiring GitHub App key.
  • Google AI Agent Development Kit ("adk-samples"): A pull request could execute attacker code on Google's CI to gain complete authority over a Google Cloud repository.
  • Apache Doris: Novee found two zero-click attacks where a single comment on any PR—or a forked PR—could run attacker code and exfiltrate hard-coded CI credentials or a token with full write permissions.
  • Cloudflare Workers SDK: A PR containing a crafted branch name could execute arbitrary commands on Cloudflare's CI runners.
  • Python Software Foundation's Black: A single pull request from anyone could execute attacker code on Black's build systems and steal the automation token, which could then be used to approve pull requests.

Novee warns these examples illustrate how untrusted inputs—comments, branch names, or forked PRs—can cross trust boundaries in ways that permit "attacker-controlled code execution, credential theft, and supply chain compromise, which can have severe downstream impacts."

Responsible disclosure and vendor responses

Following responsible disclosure, Novee reported that both Microsoft and Google confirmed the impact in the cases described. Cloudflare, the Python Software Foundation, and Apache applied hardening measures and patches, respectively, to address the reported weaknesses.

What this means for technologists, open-source maintainers, and enterprise security teams

  • Technologists and security teams: Expect to re-examine CI/CD configurations that grant PRs elevated permissions and to audit workflows for places where comments, branch names, or external inputs cross trust boundaries and may run privileged actions.
  • Open-source maintainers: Look for hard-coded CI credentials or automation tokens in build systems and consider how a single PR or comment might gain access to those artifacts; several of the named projects required post-disclosure hardening or patches.
  • Enterprise security and procurement leaders: The discovery underscores a supply-chain exposure that can propagate downstream—Novee's scan found more than 300 fully exploitable repositories among roughly 30,000 reviewed—so organizations depending on open-source components will need to track fixes and vendor responses closely.

Novee frames Cordyceps in stark terms: "The nature of agentic coding means these CI/CD vulnerabilities are reproduced persistently, at scale, 'infecting' repositories at an exponential rate," Meged said, adding that anonymous users can "puppeteer" repositories to silently manipulate workflows. The disclosure names concrete, patched or mitigated instances across major projects but leaves an urgent question: if anonymous actors can leverage Cordyceps-style weaknesses to gain control, how many additional repositories beyond the 300 found are likewise vulnerable and what downstream software will those compromises touch?

Original story

Ci/CdCode ExecutionEmerging ThreatsGithubSupply ChainVulnerability ExploitationOpen Source SecurityRepository CompromiseUnauthenticated AttacksCordyceps
Related Intelligence

Continue Reading

Law enforcement officials from various agencies gather in a briefing room for a collaborative operation.

Microsoft-Led Operation Disrupts Amadey, StealC Malware Networks

In a major win for cybersecurity, a Microsoft-led operation has successfully disrupted the networks behind Amadey and StealC malware, significantly increasing friction for cybercriminals and making it harder for attacks to succeed. This collaborative effort between law enforcement and private sector partners marks a crucial step forward in the fight against cybercrime.

Analyst 207
Ubiquiti UniFi OS device in a small business office setting with ambient daylight.

CISA Warns of Actively Exploited Ubiquiti Flaws

The US Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning that hackers are actively exploiting security flaws in Ubiquiti UniFi OS devices, posing a significant threat to system security. Federal agencies have just three days to apply crucial updates or recommended fixes to avoid potential breaches.

Analyst 207
A dimly lit laboratory setting with a macOS laptop displaying a terminal window amidst technical equipment and papers.

North Korea-linked Backdoor Exploits AI Triage Tools

When building AI triage tools, it's crucial to treat sample contents as potentially hostile input, not instructions, to prevent malicious manipulation. Experts warn that failing to do so can allow attackers to sneak hostile content into your model.

Analyst 207
Customer service representative on phone call at retail service desk.

Social Engineering Attacks Target Service Desks

Service desks have become a prime target for cyber attackers, who often find it easier to manipulate staff into divulging sensitive information than to crack the technology itself. In a string of recent incidents, hackers have successfully impersonated employees to gain access to internal systems, as seen in the 2025 UK attacks on major retailers like Marks & Spencer, Co-op, and Harrods.

Analyst 207