Cybersecurity researchers have uncovered a significant vulnerability in Continuous Integration/Continuous Delivery (CI/CD) workflows that could allow attackers to gain full control over repositories and compromise the open-source supply chain. This "critical exploitable pattern" has been named **Cordyceps** by **Novee Security**, the firm that identified the issue. ### Unauthenticated Access to Critical Systems **Cordyceps** enables unauthenticated users to exploit weak CI/CD configurations. According to **Elad Meged**, founding engineer and security researcher at **Novee Security**, "No org membership or special privileges; a free account is enough to forge approvals, push code, or steal credentials." This means anyone with a basic account could potentially manipulate workflows. **Novee Security**'s scan of approximately 30,000 high-impact repositories revealed over 300 to be fully exploitable. Such exploitation could lead to attacker-controlled code execution, credential theft, and widespread supply chain compromise, with potentially severe downstream consequences for countless projects and users. ### The Root Cause: Over-Permissive Pull Requests The core of the problem lies in CI/CD configurations that grant pull requests (PRs) more permissions than necessary. PRs are proposals to merge code changes, but when an untrusted PR can trigger privileged workflows, it creates a pathway for command injection, privilege escalation, and ultimately, supply chain compromise. **Novee Security** explains that this vulnerability is particularly insidious because it evades typical scanners. "The kind of issue that hides from scanners because, technically, every individual piece is working as designed," they noted. "The vulnerability exists only in the composition – untrusted data crossing a trust boundary that no one audited." ### Real-World Impact on Tech Giants The research highlighted several alarming examples of **Cordyceps** in action: * On **Microsoft**'s **Azure Sentinel**, a comment on a PR could execute anonymous attacker code on **Microsoft**'s CI and steal a non-expiring **GitHub App** key. * **Google**'s **AI Agent Development Kit** ("adk-samples") was susceptible to a PR that could execute attacker code on **Google**'s CI, granting complete authority over a **Google Cloud** repository. * **Apache Doris** was vulnerable to two zero-click attacks, where a single comment on any PR or a forked PR could run attacker code and exfiltrate hard-coded CI credentials or a token with full write permissions. * The **Cloudflare Workers SDK** could be exploited by a PR with a crafted branch name to execute arbitrary commands on **Cloudflare**'s CI runners. * **Python Software Foundation**'s **Black** project was at risk from a single pull request from anyone, which could execute attacker code on **Black**'s build systems and steal the automation token, enabling PR approvals. ### Disclosure and Remediation Following responsible disclosure, both **Microsoft** and **Google** confirmed the impact of the findings. **Cloudflare**, **Python**, and **Apache** have since applied hardening measures and patches to address the vulnerabilities. **Meged** emphasized the escalating threat: "The nature of agentic coding means these CI/CD vulnerabilities are reproduced persistently, at scale, 'infecting' repositories at an exponential rate." He likened the exploitation to "puppeteering" the repositories of major companies, silently manipulating their workflows.