Cordyceps GitHub Actions Flaw Enabled CI/CD Pipeline Hijacking
Researchers at Novee disclosed Cordyceps, a class of systemic software supply chain flaws in GitHub Actions workflows that can let attackers hijack build and release pipelines through insecure trust-boundary crossings in CI/CD YAML configurations. The attack chains combine issues such as command injection, broken authentication logic, artifact poisoning, and privilege escalation across multiple workflows rather than a single misconfiguration. Novee said exploitation may require only a pull request or even a pull request comment from a free GitHub account, allowing low-privilege or unauthenticated attackers to execute malicious code, steal credentials, and potentially gain control of code repositories and connected cloud environments.
After scanning roughly 30,000 high-impact repositories, Novee flagged 654 projects and verified more than 300 as fully exploitable. Confirmed impact included repositories tied to Microsoft, Google, Apache, Cloudflare, and the Python Software Foundation, with examples including Azure Sentinel, Google adk-samples, Apache Doris, Black, and Cloudflare Workers tooling. The researchers said affected organizations have fixed the disclosed issues, but warned that AI coding agents are helping spread the same insecure CI/CD patterns across ecosystems including npm, PyPI, crates, and Go.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Novee publicly discloses the Cordyceps vulnerability class
Novee disclosed Cordyceps as a systemic GitHub Actions CI/CD supply-chain vulnerability class caused by insecure interactions across workflows, enabling attacks such as command injection, artifact poisoning, broken authentication abuse, and privilege escalation.
Major organizations fix Cordyceps-related workflow vulnerabilities
Confirmed fixes were made for affected repositories tied to organizations including Microsoft, Google, Apache, Cloudflare, and the Python Software Foundation after Novee disclosed the issues to tested projects.
Novee scans 30,000 repositories and verifies 300+ exploitable chains
Novee researchers scanned about 30,000 high-impact GitHub repositories, flagged hundreds of projects, and verified more than 300 as fully exploitable through the Cordyceps CI/CD vulnerability class.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
5 references tracked. Mallory keeps watching after this page renders.
Cordyceps CI/CD Flaws Expose 300+ GitHub Repositories to Supply-Chain Attacks
thehackernews.com
Open sourceExploitable CI/CD Vulnerabilities Expose Millions of Repositories to Hijacking - SecurityWeek
securityweek.com
Open source‘Cordyceps’ CI/CD Flaw Exposes Microsoft, Google, Apache Repos to Pipeline Hijacking
hackread.com
Open sourceCordyceps Supply Chain Flaw Impacting Code Repositories at thousands of Organizations
cybersecuritynews.com
Open source'Cordyceps': Mushrooming Malicious Pull Requests Threaten Developer Workflows
darkreading.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
AI-Assisted GitHub Actions Campaign Exploited `pull_request_target` to Steal Secrets
Researchers reported that the `prt-scan` campaign abused misconfigured GitHub Actions workflows using the `pull_request_target` trigger to run attacker-controlled code from forked pull requests in privileged CI contexts. The actor used at least six GitHub accounts to submit more than 500 malicious pull requests across six waves, disguising many as routine CI updates and tailoring payloads to Python, Node.js, Go, Rust, and GitHub Actions repositories. Wiz said the operation evolved from simple bash payloads into AI-assisted, repository-aware implants designed to steal `GITHUB_TOKEN` values, enumerate secrets, probe cloud metadata services, and exfiltrate credentials through workflow logs and pull request comments. The campaign succeeded often enough to cause real supply-chain impact despite an estimated success rate below 10%. Wiz confirmed compromise of the npm packages **`@codfish/eslint-config`** and **`@codfish/actions`** across 106 versions, and verified theft of AWS keys, Cloudflare API tokens, and Netlify authentication tokens. High-profile projects including Sentry, OpenSearch, IPFS, NixOS, Jina AI, and recharts reportedly blocked the attempts through contributor approval gates and workflow restrictions. The activity follows earlier warnings from Sysdig that insecure use of `pull_request_target` in prominent repositories such as MITRE, Splunk, and Spotipy could expose secrets and high-privilege `GITHUB_TOKEN` permissions, underscoring that unsafe GitHub Actions defaults remain an active software supply-chain risk.
Jun 8, 2026
Megalodon GitHub Supply Chain Attack Injected Malicious Actions into 5,561 Repos
Researchers disclosed a large-scale automated supply chain attack dubbed **Megalodon** that pushed **5,718 malicious commits** into **5,561 GitHub repositories** in less than six hours, using forged CI/CD bot identities and benign-looking commit messages to slip in malicious GitHub Actions workflow files. The workflows requested elevated permissions and carried base64-encoded bash payloads that executed after maintainers merged the changes, harvesting CI/CD environment data, cloud credentials, SSH keys, Docker and Kubernetes secrets, Vault and Terraform credentials, GitHub OIDC tokens, and other source-code and developer secrets. Investigators said the stolen data was exfiltrated over HTTP POST requests to **`216.126.225[.]129:8443`**, with two workflow variants observed, including payloads labeled **SysDiag** and **Optimize-Build**. The most visible downstream impact was a compromise of the **Tiledesk** repository, where a malicious workflow change led to the publication of poisoned **`@tiledesk/tiledesk-server`** npm versions **`2.18.6`** through **`2.18.12`**. Reporting tied the activity to a broader pattern of software supply chain abuse associated with **TeamPCP**, whose earlier incidents affected major open-source and commercial projects and prompted npm to invalidate some write-capable granular access tokens that could bypass 2FA protections. Security firms urged organizations to review repositories for unauthorized workflow changes, block the identified command-and-control infrastructure, rotate exposed secrets and keys, and inspect cloud and CI logs for signs of credential theft or cloud impersonation.
Jun 5, 2026
Claude Code GitHub Action Flaws Exposed CI/CD Secrets and Enabled Repo Takeover
Researchers disclosed multiple security flaws in Anthropic’s **Claude Code GitHub Action** that could let attackers compromise public repositories and expose CI/CD secrets through a single malicious GitHub issue or other untrusted content. One issue, reported by RyotaK of GMO Flatt Security, stemmed from an authorization bypass that trusted any GitHub actor whose name ended in `[bot]`, allowing attacker-controlled GitHub Apps to trigger workflows and inject malicious prompts. Anthropic said the bug could lead to disclosure of environment secrets, including credentials used to obtain OIDC tokens and Claude GitHub App installation tokens with write access, creating a path to repository takeover and broader supply-chain compromise. Microsoft Threat Intelligence separately showed that Claude Code’s `Read` tool was not sandboxed like its Bash tool, enabling access to sensitive runner data such as `/proc/self/environ` and leakage of secrets including `ANTHROPIC_API_KEY`. In lab testing, Microsoft demonstrated prompt-injection attacks that bypassed model safeguards and GitHub secret scanning to exfiltrate credentials through logs, comments, or external channels. Anthropic fixed the authorization issue within days of disclosure and later added hardening in `claude-code-action` `v1.0.94`, while the `/proc` exposure was mitigated in Claude Code `v2.1.128` by blocking access to sensitive procfs files; defenders were urged to treat AI-enabled CI/CD workflows processing untrusted issues, pull requests, and comments as high risk.
Jun 5, 2026