• Home
  • cyber
  • Cloudflare, Python Software Foundation, Apache and Google: Cordyceps Supply chain Vulnerability Impacting Code Repositories at thousands of Organizations
cyber Vulnerability

Cloudflare, Python Software Foundation, Apache and Google: Cordyceps Supply chain Vulnerability Impacting Code Repositories at thousands of Organizations

Jun 23, 2026 3 min read
Cloudflare, Python Software Foundation, Apache and Google: Cordyceps Supply chain Vulnerability Impacting Code Repositories at thousands of Organizations

Critical CI/CD Vulnerability "Cordyceps" Exposes Supply Chain Risks in GitHub Workflows

A newly identified vulnerability pattern, dubbed Cordyceps, reveals systemic flaws in GitHub Actions workflows that allow unauthenticated attackers to hijack software supply chains. Unlike a single bug, this issue stems from insecure workflow compositions combining command injection, broken authentication, and cross-workflow privilege escalation creating multi-step exploit chains accessible from free GitHub accounts.

Security firm Novee scanned 30,000 high-impact repositories, identifying 654 instances of the vulnerability and validating over 300 fully exploitable chains. Major organizations, including Microsoft, Google, Apache, Cloudflare, and the Python Software Foundation, confirmed fixes after disclosures. The flaw’s scale suggests millions of repositories could be affected.

At its core, Cordyceps exploits the misclassification of GitHub Actions YAML files as "configuration" rather than code. Despite executing shell commands, managing tokens, and publishing releases, these workflows often bypass the security scrutiny applied to application code. This oversight enables seemingly harmless steps like outputs or environment variables to carry untrusted data into high-privilege workflows, leading to credential theft, artifact poisoning, or malicious releases.

Novee’s research uncovered high-impact examples:

  • Microsoft’s Azure Sentinel: A pull request comment executed attacker code, stealing a non-expiring GitHub App key with persistent write access to customer deployments.
  • Google’s AI Agent Development Kit: A single PR triggered CI code with owner-level Google Cloud permissions.
  • Apache Doris: Two zero-click attack paths exfiltrated CI credentials and tokens with broad repository write access.
  • Cloudflare’s Workers SDK: PR branch names could execute arbitrary commands on CI runners.
  • Python’s Black project: A malicious PR ran on build systems, hijacked automation tokens, and approved pull requests as the project bot, risking tainted releases for millions of users.

Traditional security tools fail to detect Cordyceps because they analyze workflows in isolation, missing cross-workflow attack paths. Novee’s approach combined large-scale scanning with AI-driven validation to simulate end-to-end exploits.

The vulnerability is exacerbated by modern development practices, where AI-generated CI/CD templates propagate insecure patterns rapidly across projects. Mitigation requires treating workflows as code enforcing least privilege, sanitizing inputs, isolating untrusted workflows, and testing for malicious PRs.

The findings underscore that supply chain security now hinges on CI/CD rigor, demanding the same scrutiny as application code.

Source: https://gbhackers.com/cordyceps-supply-chain-vulnerability/

Cloudflare TPRM report: https://www.rankiteo.com/company/cloudflare

Python Software Foundation TPRM report: https://www.rankiteo.com/company/thepsf

Apache TPRM report: https://www.rankiteo.com/company/the-apache-software-foundation

Google TPRM report: https://www.rankiteo.com/company/google

"id": "theclogoothe1782224973",
"linkid": "the-apache-software-foundation, cloudflare, google, thepsf",
"type": "Vulnerability",
"date": "6/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"
{'affected_entities': [{'industry': 'Technology/Cloud Services',
                        'name': 'Microsoft (Azure Sentinel)',
                        'size': 'Large',
                        'type': 'Corporation'},
                       {'industry': 'Technology/AI',
                        'name': 'Google (AI Agent Development Kit)',
                        'size': 'Large',
                        'type': 'Corporation'},
                       {'industry': 'Software/Open Source',
                        'name': 'Apache (Doris)',
                        'size': 'Large',
                        'type': 'Open Source Foundation'},
                       {'industry': 'Technology/Cloud Services',
                        'name': 'Cloudflare (Workers SDK)',
                        'size': 'Large',
                        'type': 'Corporation'},
                       {'customers_affected': 'Millions of users',
                        'industry': 'Software/Open Source',
                        'name': 'Python Software Foundation (Black project)',
                        'size': 'Large',
                        'type': 'Open Source Foundation'}],
 'attack_vector': ['Command Injection',
                   'Broken Authentication',
                   'Cross-Workflow Privilege Escalation'],
 'data_breach': {'sensitivity_of_data': 'High (GitHub App keys, Google Cloud '
                                        'permissions, repository write access)',
                 'type_of_data_compromised': ['Credentials',
                                              'Tokens',
                                              'Automation Tokens']},
 'description': 'A newly identified vulnerability pattern, dubbed *Cordyceps*, '
                'reveals systemic flaws in GitHub Actions workflows that allow '
                'unauthenticated attackers to hijack software supply chains. '
                'The flaw stems from insecure workflow compositions combining '
                'command injection, broken authentication, and cross-workflow '
                'privilege escalation, creating multi-step exploit chains '
                'accessible from free GitHub accounts. Security firm Novee '
                'scanned 30,000 high-impact repositories, identifying 654 '
                'instances of the vulnerability and validating over 300 fully '
                'exploitable chains. Major organizations, including Microsoft, '
                'Google, Apache, Cloudflare, and the Python Software '
                'Foundation, confirmed fixes after disclosures.',
 'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
                                       'supply chain compromise',
            'data_compromised': ['Credentials', 'Tokens', 'Automation Tokens'],
            'operational_impact': 'Risk of artifact poisoning, malicious '
                                  'releases, and credential theft',
            'systems_affected': ['GitHub Actions Workflows',
                                 'CI/CD Pipelines']},
 'investigation_status': 'Confirmed and partially remediated',
 'lessons_learned': 'Supply chain security hinges on CI/CD rigor, demanding '
                    'the same scrutiny as application code. Traditional '
                    'security tools fail to detect cross-workflow attack '
                    'paths, necessitating AI-driven validation and large-scale '
                    'scanning.',
 'post_incident_analysis': {'corrective_actions': 'Fixes implemented by '
                                                  'affected organizations, '
                                                  'adoption of secure CI/CD '
                                                  'practices',
                            'root_causes': 'Misclassification of GitHub '
                                           'Actions YAML files as '
                                           'configuration rather than code, '
                                           'lack of security scrutiny for '
                                           'workflows, propagation of insecure '
                                           'patterns via AI-generated CI/CD '
                                           'templates'},
 'recommendations': ['Treat GitHub Actions workflows as code',
                     'Enforce least privilege principles',
                     'Sanitize inputs in workflows',
                     'Isolate untrusted workflows',
                     'Test for malicious pull requests',
                     'Use AI-driven validation for end-to-end exploit '
                     'simulation'],
 'references': [{'source': 'Novee Security Research'}],
 'response': {'containment_measures': ['Fixes confirmed by affected '
                                       'organizations'],
              'remediation_measures': ['Treating workflows as code',
                                       'Enforcing least privilege',
                                       'Sanitizing inputs',
                                       'Isolating untrusted workflows',
                                       'Testing for malicious PRs'],
              'third_party_assistance': 'Novee (Security Firm)'},
 'title': "Critical CI/CD Vulnerability 'Cordyceps' Exposes Supply Chain Risks "
          'in GitHub Workflows',
 'type': 'Supply Chain Attack',
 'vulnerability_exploited': 'Insecure GitHub Actions workflows misclassified '
                            'as configuration rather than code, enabling '
                            'untrusted data to carry into high-privilege '
                            'workflows'}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.