Skip to content

Cordyceps Vulnerabilities Endanger Over 300 GitHub Repositories of Major Corporations

At a glance: Unauthenticated attackers can manipulate privileged processes and take over code repositories through insecure permission configurations in GitHub Actions.

Security research firm Novee Security has discovered a new class of CI/CD vulnerabilities endangering over 300 GitHub repositories of major corporations—attackers only need a free user account to exploit them.

The vulnerabilities, termed “Cordyceps,” involve configuration errors in GitHub Actions YAML files when processing pull requests. Through faulty permission assignments, external, unverified actors can manipulate automation workflows. The individual technical components function flawlessly—the risk arises only from insecure combinations and interconnections across internal trust boundaries, which is why traditional security scanners frequently overlook these patterns.

Novee Security examined approximately 30,000 influential code repositories and identified 654 suspicious configurations; over 300 of them were fully exploitable. Affected organizations include Microsoft (Azure Sentinel), Google (AI Agent Development Kit), Apache Doris, Cloudflare Workers SDK, and the Python Software Foundation (Black). The documented attack vectors range from unauthenticated code execution through token theft to manipulation of software supply chains—for instance, via manipulated pull request comments or altered branch names.

Elad Meged, founding engineer at Novee Security, emphasizes: A free account is sufficient to forge releases, upload code, or steal credentials. No organizational membership or special privileges are required.

The widespread nature of the vulnerabilities is accelerated by AI-powered code generation tools that automatically and uncontrollably duplicate insecure configuration patterns across millions of repositories. Following notification by researchers, Microsoft and Google have officially confirmed the risks; Cloudflare, Apache, and the Python Software Foundation have already implemented security patches and system hardening measures.


Source: www.it-daily.net · Published 25 June 2026
Lumi AI News — AI-assisted curation pursuant to Article 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.1.

Share on: