Cordyceps CI/CD Flaws Expose 300+ GitHub Repositories to Supply-Chain Attacks
Novee Security's research on Cordyceps CI/CD vulnerabilities was covered by The Hacker News — exposing how over 300 GitHub repositories, including those of Microsoft, Google, and Cloudflare, are vulnerable to supply chain attacks.
Cybersecurity researchers have flagged a new class of CI/CD workflow weakness that allows attackers to hijack workflows and compromise open-source supply chains.
The “critical exploitable pattern” has been codenamed Cordyceps by Novee Security. The issue can allow full attacker control of repositories at dozens of the largest organizations worldwide, including Microsoft, Google, Apache, and Cloudflare.
“The flaw is exploitable by any unauthenticated user,” Elad Meged, founding engineer and security researcher at Novee Security, said. “No org membership or special privileges; a free account is enough to forge approvals, push code, or steal credentials.”
The penetration-testing company’s scan of about 30,000 high-impact repositories has revealed more than 300 to be fully exploitable, enabling attacker-controlled code execution, credential theft, and supply chain compromise, which can have severe downstream impacts.
The core of the problem trickles down to weak CI/CD configurations that grant pull requests (PRs) more permissions than they should have. PRs are proposals to merge code changes from one branch into the main project. However, because an untrusted PR can trigger privileged workflows, it can open the door to command injection, privilege escalation, and supply chain compromise.
Read the full article at The Hacker News→
Originally published in The Hacker News on Jun 24, 2026 by Ravie Lakshmanan