What happened
Security researchers at Novee have disclosed a new class of CI/CD workflow weakness dubbed “Cordyceps” that could allow attackers to abuse malicious pull requests and compromise software supply chains.
The research, published by Novee founding engineer and security researcher Elad Meged, highlights how automated workflows in code repositories can unintentionally grant excessive privileges to untrusted pull requests. Attackers may be able to exploit these workflows to access sensitive credentials, execute unauthorized code, escalate privileges, and potentially distribute malicious software.
According to Novee, a scan of public repositories identified 654 potentially vulnerable projects, with approximately 300 confirmed as fully exploitable. The potential impacts ranged from credential theft and command injection to publishing malicious packages and bypassing security controls.
The issue does not stem from flaws in pull requests themselves. Instead, it arises from insecure workflow configurations that allow untrusted inputs to interact with privileged CI/CD processes.
Who is affected
The weakness affects organizations that rely on automated CI/CD pipelines and open-source development workflows.
Novee demonstrated the risk across several prominent projects. Examples included Microsoft’s Azure Sentinel, Google’s AI Agent Development Kit, Apache Doris, Cloudflare Workers SDK, and Black, a popular Python code formatter maintained by the Python Software Foundation.
Microsoft and Google reportedly confirmed the impact of the findings, while Cloudflare and Apache implemented hardening measures and fixes. Novee stated there is currently no evidence that attackers have broadly exploited these workflow patterns in the wild.
Organizations using GitHub Actions or similar CI/CD automation platforms should review their workflows for excessive permissions and unsafe handling of pull request data.
Why CISOs should care
Cordyceps highlights a growing supply chain risk hidden within development pipelines rather than application code itself.
As organizations increasingly automate software delivery, CI/CD workflows often gain access to sensitive credentials, signing keys, cloud resources, and deployment environments. A compromised workflow can provide attackers with a pathway into critical systems without directly targeting production infrastructure.
The research also raises concerns about AI-generated CI/CD configurations. According to Meged, AI coding assistants may unintentionally replicate insecure workflow patterns across large numbers of repositories, increasing exposure at scale.
For CISOs, the message is clear: workflow code should be treated with the same scrutiny and governance as application code.
3 practical actions
- Inventory all CI/CD workflows that process pull request data and identify where elevated permissions are granted.
- Apply least-privilege principles to workflow tokens, credentials, cloud access, and signing keys used during automation.
- Review and test workflow configurations regularly, including YAML files, to detect unsafe trust relationships and privilege escalation paths before attackers do.
