In a nutshell: Attackers exploit CI/CD vulnerabilities in established open-source products to inject code via pull requests.
A campaign called “Cordyceps” infiltrates popular open-source projects through fake pull requests. Targets include Microsoft’s Azure Sentinel, Google’s AI Agent Development Kit, Apache’s Doris analytics database, Cloudflare’s Workers SDK, and the Python Software Foundation’s Black.
The “Cordyceps” campaign exploits a structural weakness in CI/CD workflows: malicious pull requests are introduced into code repositories and, if merged without proper review, can allow malware or backdoors to reach production systems.
Attackers are targeting high-traffic and widely distributed projects. The identified attack targets are: Microsoft’s Azure Sentinel (security monitoring), Google’s AI Agent Development Kit, Apache’s Doris (analytics database), Cloudflare’s Workers SDK (serverless functions), and Black (Python formatter from the Python Software Foundation).
The risk lies in the fact that compromised versions of these projects can spread through dependency chains into thousands of downstream projects. For CISOs, this means: vulnerabilities in the open-source supply chain require tightened code review processes, automated security checks in CI/CD pipelines, and continuous monitoring of dependency sources.
Source: www.darkreading.com · Published June 23, 2026
Lumi AI News — AI-assisted curation pursuant to Article 50 EU AI Act. Paraphrasing and classification by Lumi News Pipeline v1.7.1.