CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 23, 2026

'Cordyceps': Mushrooming Malicious Pull Requests Threaten Developer Workflows

Dark Reading Archived Jun 23, 2026 ✓ Full text saved

The CI/CD workflow weakness affects Microsoft's Azure Sentinel, Google's AI Agent Development Kit, Apache's Doris analytics database, Cloudflare's Workers SDK, and Python Software Foundation's Black.

Full text archived locally
✦ AI Summary · Claude Sonnet


    APPLICATION SECURITY DATA PRIVACY THREAT INTELLIGENCE IDENTITY & ACCESS MANAGEMENT SECURITY NEWS 'Cordyceps': Mushrooming Malicious Pull Requests Threaten Developer Workflows The CI/CD workflow weakness affects Microsoft's Azure Sentinel, Google's AI Agent Development Kit, Apache's Doris analytics database, Cloudflare's Workers SDK, and Python Software Foundation's Black. Alexander Culafi,Senior News Writer,Dark Reading June 23, 2026 4 Min Read SOURCE: CHENGYUZHENG VIA GETTY IMAGES A new class of CI/CD workflow weakness enables attackers to use malicious pull requests to compromise software supply chains. Elad Meged, founding engineer and security researcher at penetration-testing firm Novee, published a blog post today covering a weakness dubbed "Cordyceps" that exists across code repositories at organizations large and small. The issue behind Cordyceps involves pull requests — the type of request developers make when they want a software code change to be merged into the main repository. Pull requests are, by design, open to developers that want to make open source software better, and merges are generally approved by a small group of maintainers or administrators, so the master code is updated safely. Novee alleges that the automated CI/CD workflows present in many repositories (i.e., the processes that exist between pull requests and merges) are weak from an access security perspective, and can be exploited by attackers in ways that create negative supply chain outcomes for users.  Related:DifyTap Bugs Let Attackers 'Wiretap' AI Chat Histories By targeting the automated workflows around repositories with targeted pull requests, attackers can potentially target signing keys and access tokens held by these workflows (which inherently require high privilege levels) to achieve command injection, privilege escalation, and supply chain compromise. How Cordyceps Threatens CI/CD Workflows Meged said that from a single scan, Novee flagged 654 repositories as potentially exploitable through this weakness, with 300 "confirmed fully exploitable" to things like attacker-controlled code execution, credential theft, or supply chain compromise. Additional consequences included publishing malicious code and packages to stores, forging CI checks, bypassing merge gates, bot impersonation, social engineering, and more. On Microsoft's Azure Sentinel, for example, Novee found a comment on a pull request could run anonymous attacker code on Microsoft's CI to steal a non-expiring GitHub App key. On Google's AI Agent Development Kit, a pull request could run attacker code on Google's CI to gain "authenticated control over the associated Google Cloud project" to gain full authority over a Google Cloud repository.  The vendor found it could also execute two zero-click attacks through pull requests on Apache's Doris analytics database, as well as attacks on Cloudflare's Workers SDK and Python Software Foundation's Black. Novee said Microsoft and Google confirmed impact, while Cloudflare and Apache applied hardening and fixes, respectively. Novee confirmed to Dark Reading that among the vendors that implemented fixes, workflow patterns were not exploited, and Meged tells Dark Reading, "There is no evidence that any attacker or group has applied the pattern broadly, at scale." That's not to say things couldn't change though, so companies need to lock down their developer workflows.  Related:FIFA Bug Exposes World Cup Streams to Remote Takeover Lock Your Workflows Down The primary reason so many repositories are vulnerable to this issue comes down to weak CI/CD configurations that give pull requests more access than non-maintainer accounts should have.  "This supply chain vulnerability lies in the foundational open source plumbing the entire industry runs on, and the kind of issue that hides from scanners because, technically, every individual piece is working as designed," the blog post read. "The workflow does what it was told. The vulnerability exists only in the composition — untrusted data crossing a trust boundary that no one audited." Another issue is that the ways Cordyceps manifests vary depending on the makeup repository, and learning you might be vulnerable requires knowing multiple steps.  As one might expect, "AI coding agents are scaling the problem," Meged wrote. "They generate CI/CD configuration fast and reproduce the same insecure patterns over and over, so the same mistakes can compound across millions of repositories." Related:Copilot 'SearchLeak' Attack Allows 1-Click Data Theft Ultimately, Cordyceps is not quite something that necessitates a CVE, but CI/CD workflows represent an interesting way into a repository — or potentially a whole supply chain — and are worthy of hardening. Meged says that chief  information security officers (CISOs) should think about CI/CD workflows as code assets subject to the same requirements as applications, because, simply put, "workflow code is code." He recommends CISOs address Cordyceps by inventorying the workflows that run untrusted input with elevated permissions, and lock said workflows down. "Just as with code, every input should be treated carefully, and roles should be scoped in detail," he says. "Oftentimes, organizations are not viewing YAML with the same critical lens as they do code, which is an oversight. Leverage trusted agentic tooling to identify which workflows could be exposed at scale." About the Author Alexander Culafi Senior News Writer, Dark Reading Alex is an award-winning writer, journalist, and podcast host based in Boston. After cutting his teeth writing for independent gaming publications as a teenager, he graduated from Emerson College in 2016 with a Bachelor of Science in journalism. He has previously been published on VentureFizz, Search Security, Nintendo World Report, and elsewhere.  At Dark Reading, he covers a variety of cybersecurity topics, including the cybercrime ecosystem, open source security, and the intersection between AI and threat actors. In his spare time, Alex hosts the weekly Nintendo podcast, "Talk Nintendo Podcast," and works on personal writing projects, including two previously self-published science fiction novels. He has received numerous awards, including TechTarget's Writer of the Year in 2022 as well as more than 10 Azbee awards for his reporting between 2022 and today.  Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports How Organizations Are Managing Incident Response How Enterprises Are Developing Secure Applications Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy Essential News & Insights from Black Hat USA 2025 How Enterprises Are Harnessing Emerging Technologies in Cybersecurity Access More Research Webinars Say Yes to AI: Securing Innovation Without Compromise Zero Trust Identity: Beyond Traditional Authentication Advanced Persistent Threats: A Practical Guide to Detection and Response The Frontier AI Era: Why Cybersecurity Must Move at Machine Speed Build vs. Buy: The Hidden Cost of Building Your Own AI Security Stack More Webinars You May Also Like APPLICATION SECURITY Supply Chain Attack Secretly Installs OpenClaw for Cline Users by Rob Wright FEB 19, 2026 APPLICATION SECURITY Chinese Hackers Hijack Notepad++ Updates for 6 Months by Jai Vijayan, Contributing Writer FEB 02, 2026 APPLICATION SECURITY Trump Administration Rescinds Biden-Era Software Guidance by Alexander Culafi JAN 29, 2026 APPLICATION SECURITY Microsoft Fixes Exploited Zero Day in Light Patch Tuesday by Jai Vijayan, Contributing Writer DEC 09, 2025 Editor's Choice APPLICATION SECURITY FIFA Bug Exposes World Cup Streams to Remote Takeover byNate Nelson JUN 18, 2026 4 MIN READ CYBERSECURITY OPERATIONS EU Gets a Head Start in Developing 6G Network Security byNate Nelson JUN 18, 2026 4 MIN READ CYBER RISK UK Social Media Ban for Minors Has Privacy Experts Worried byRobert Lemos JUN 17, 2026 4 MIN READ Want more Dark Reading stories in your Google search results? Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE AUG 1-6 | MANDALAY BAY, LAS VEGAS USE CODE: DARKREADING & SAVE $200 ON A BRIEFINGS PASS OR $100 ON A BUSINESS PASS The premier cybersecurity event returns. GET YOUR PASS
    💬 Team Notes
    Article Info
    Source
    Dark Reading
    Category
    ◇ Industry News & Leadership
    Published
    Jun 23, 2026
    Archived
    Jun 23, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗