Cybersecurity researchers have flagged a new class of CI/CD workflow weakness that allows attackers to hijack workflows and compromise open-source supply chains.
The “critical exploitable pattern” has been codenamed Cordyceps by Novee Security. The issue can allow full attacker control of repositories at dozens of the largest organizations worldwide, including Microsoft, Google, Apache, and Cloudflare.
“The flaw is exploitable by any unauthenticated user,” Elad Meged, founding engineer and security researcher at Novee Security, said. “No org membership or special privileges; a free account is enough to forge approvals, push code, or steal credentials.”
The penetration-testing company’s scan of about 30,000 high-impact repositories has revealed more than 300 to be fully exploitable, enabling attacker-controlled code execution, credential theft, and supply chain compromise, which can have severe downstream impacts.
The core of the problem trickles down to weak CI/CD configurations that grant pull requests (PRs) more permissions than they should have. PRs are proposals to merge code changes from one branch into the main project. However, because an untrusted PR can trigger privileged workflows, it can open the door to command injection, privilege escalation, and supply chain compromise.
“This supply chain vulnerability lies in the foundational open-source plumbing the entire industry runs on, and the kind of issue that hides from scanners because, technically, every individual piece is working as designed,” Novee explained. “The workflow does what it was told. The vulnerability exists only in the composition – untrusted data crossing a trust boundary that no one audited.”
On Microsoft’s Azure Sentinel, for example, Novee found a comment on a PR that could run anonymous attacker code on Microsoft’s CI and steal a non-expiring GitHub App key. In a similar case, a PR on Google’s AI Agent Development Kit (“adk-samples”) could execute attacker code on Google’s CI to gain complete authority over a Google Cloud repository.
Other findings are listed below –
- Apache Doris, where two zero-click attacks cause a single comment on any PR or a forked PR to run attacker code and exfiltrate hard-coded CI credentials or a token with full write permissions
- Cloudflare Workers SDK, where a PR with a crafted branch name can execute arbitrary commands on Cloudflare’s CI runners
- Python Software Foundation’s Black, where a single pull request from anyone could execute attacker code on Black’s build systems and steal the automation token, which can then be used to approve pull requests.
Following responsible disclosure, both Microsoft and Google confirmed impact, while Cloudflare, Python, and Apache have applied hardening and patches, respectively.
“The nature of agentic coding means these CI/CD vulnerabilities are reproduced persistently, at scale, ‘infecting’ repositories at an exponential rate,” Meged said. “Because anonymous users can use them to gain control over the software supply chain, we like to think of it as ‘puppeteering’ the repositories of some of the world’s biggest companies, silently manipulating their workflows.”
