Cordyceps Supply Chain Flaw Impacting Code Repositories at thousands of Organizations
Cybersecurity NewsArchived Jun 23, 2026✓ Full text saved
A newly discovered supply chain flaw is putting thousands of organizations at serious risk. Named Cordyceps after the parasitic fungus known for taking over its hosts, this critical vulnerability quietly burrows into software development pipelines and gives attackers full control of code repositories at some of the biggest companies in the world. The flaw targets […] The post Cordyceps Supply Chain Flaw Impacting Code Repositories at thousands of Organizations appeared first on Cyber Security Ne
Full text archived locally
✦ AI Summary· Claude Sonnet
HomeCyber Security News
Cordyceps Supply Chain Flaw Impacting Code Repositories at thousands of Organizations
By Tushar Subhra Dutta
June 23, 2026
A newly discovered supply chain flaw is putting thousands of organizations at serious risk.
Named Cordyceps after the parasitic fungus known for taking over its hosts, this critical vulnerability quietly burrows into software development pipelines and gives attackers full control of code repositories at some of the biggest companies in the world.
The flaw targets CI/CD workflows, the automated pipelines developers use to build, test, and release software.
These workflows run shell commands, hold signing keys, authenticate to cloud providers, and publish releases. Yet they are widely treated as simple configuration files rather than security-critical code. That gap in perception is exactly what Cordyceps exploits.
Researchers at Novee identified this systemic class of exploitable vulnerabilities across the open-source supply chain, noting patterns of command injection, broken authentication logic, artifact poisoning chains, and privilege escalation in GitHub Actions workflows.
Novee said in a report shared with Cyber Security News (CSN) that the team scanned roughly 30,000 high-impact repositories and confirmed hundreds of fully exploitable attack chains.
What makes this discovery alarming is not just the technical depth of the flaw, but its accessibility. Any person with a free GitHub account can exploit it without needing special privileges or organizational membership.
A single pull request, or even a comment on one, can be enough to trigger the chain and hand an outsider full control of a project’s build pipeline.
The downstream reach is enormous. When one compromised repository supplies software that thousands of organizations depend on, a single attack can ripple outward into banks, cloud environments, AI labs, and end-user devices.
Fixes have been confirmed at major organizations including Microsoft, Google, Apache, Cloudflare, and the Python Software Foundation.
Cordyceps Supply Chain Flaw
The most dangerous aspect of Cordyceps is how it hides in plain sight. The exploit chains are multi-step, meaning no single piece looks dangerous on its own.
An untrusted pull request triggers a low-privilege workflow, whose output flows into a high-privilege workflow, which then authenticates to a cloud environment with the highest possible permissions.
Every step appears normal, but the combination creates a clear path to full control. This is what makes the vulnerability so hard to catch with traditional security scanners.
Standard tools check single files for known patterns, but the risk in Cordyceps only exists in how multiple workflows interact with each other. A scanner sees valid YAML configuration. An attacker sees a four-step chain leading to permanent credential access.
Novee confirmed that over 300 repositories were fully exploitable. In Microsoft’s Azure Sentinel, a comment on a pull request was enough for an attacker to steal a non-expiring GitHub App key.
For Google’s AI Agent Development Kit, a single pull request could hand an attacker the highest Google Cloud role. In Apache’s Doris, two zero-click attack paths were confirmed, both leading to credential theft and direct code modification rights.
AI Is Compounding the Problem at Scale
One of the most troubling findings in the Cordyceps research is the role AI coding agents are playing in spreading the flaw.
As developers rely more heavily on AI tools to generate CI/CD configuration files quickly, those tools reproduce the same insecure patterns over and over. The result is the same class of vulnerability being quietly planted across potentially millions of repositories.
Novee’s team pulled data across the npm, PyPI, crates, and Go ecosystems and flagged 654 repositories in a single scan.
The proven impact covered the full build and release pipeline, touching everything from code pushes to protected branches to credential theft across AWS, GCP, and Netlify.
Organizations that run software on GitHub or depend on open-source projects that do are urged to assess their exposure. The fix, once identified, is straightforward.
Security teams should treat workflow code with the same rigor as application code, conduct cross-workflow audits, and ensure that trust boundaries between low-privilege and high-privilege workflows cannot be crossed by untrusted inputs like pull request titles, branch names, or comment bodies.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
Tags
cyber security
cyber security news
Copy URL
Linkedin
Twitter
ReddIt
Telegram
Tushar Subhra Dutta
Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics.
Trending News
Hackers Using Claude and OpenAI’s Codex for Exploitation, and Data Exfiltration Activities
CyberSentinel AI with 33 Security Tools, Including Nmap, SQLMap, ZAP, and uses Claude, GPT
Hackers Use Fake Software Update Prompts to Steal Passwords and Crypto Wallet Data From macOS Users
Hackers Abuse PowerShell Commands to Deliver SmartRAT Through Brazilian Bank Phishing Page
Hackers Use Weaponized Windows Shortcuts to Spread Crypto Clipper Across USB Drives
Latest News
Cyber Security News
Scattered Spider Hackers Who Breached London Transport Network Plead Guilty
Cyber Security
15 Best Linux Network Monitoring Tools in 2026
Cyber Security News
Researcher Earns $148,337 for Google Cloud Production RCE Vulnerability
Cyber Security
Tata Electronics Data Breach Exposes Confidential Apple and Tesla Documents
Cyber Security News
New Phishing Attack Abuses Outlook and Microsoft 365 Groups Features to Attack Users