Cordyceps Vulnerability: When 'Green' CI/CD Pipelines Mask Critical Exposure
Researchers at **Novee Security** have uncovered a critical class of CI/CD weaknesses, dubbed 'Cordyceps,' affecting thousands of high-impact repositories. This vulnerability bypasses traditional security scans, exploiting the composition of workflows rather than individual faulty files. The findings highlight a growing blind spot in software supply chain security, particularly as AI-driven development accelerates.

"A green pipeline is not a governed one, and agentic coding is widening the gap faster than review can close it," states Shane Warden, Principal Architect at **ActiveState**, in a recent analysis.
In June 2026, **Novee Security** disclosed a class of CI/CD weaknesses they named **Cordyceps**. Their extensive scan of approximately 30,000 high-impact repositories across **npm**, **PyPI**, **crates.io**, and **Go** ecosystems flagged 654, with over 300 confirmed as fully exploitable.
The affected build tooling included projects from tech giants like **Microsoft**, **Google**, **Apache**, **Cloudflare**, and the **Python Software Foundation**. Critically, an attacker only needs a free **GitHub** account to exploit these vulnerabilities β no organizational membership or elevated privileges are required.
Every one of these pipelines reported 'green' β scans ran, checks passed, and dashboards showed healthy results throughout the exposure. The existing scanning tools were simply not designed to detect this type of danger.
## The Vulnerability Is in the Composition, Not the File
The core issue lies in how **GitHub Actions** workflows are composed. While `pull_request` workflows typically run in an untrusted context with limited access, `pull_request_target` and `workflow_run` operate within the base repository, granting access to secrets and a read/write `GITHUB_TOKEN`.
Attackers can leverage these higher-privileged workflows to act on attacker-controlled content from the triggering pull request, a method **GitHub Security Lab** refers to as a "pwn request."
Three primary primitives facilitate this: command injection, code injection via `actions/github-script`, and cross-workflow privilege escalation. Command injection interpolates attacker-controlled data (like branch names or comments) directly into shell commands, leading to unescaped execution. Code injection evaluates attacker input as JavaScript at runtime. Cross-workflow privilege escalation involves a low-privilege workflow writing untrusted data that a second, high-privilege workflow then reads and executes with the maintainer's token. Each workflow, individually, appears innocuous.
"A scanner sees a workflow. An attacker sees a four-step chain to a permanent credential," explains Warden. The danger is not in a single faulty line of code, but in how otherwise valid components interact β a blind spot for traditional SAST or DAST tools that pattern-match individual files.
## One Pull Request, Persistent Write Access to Shipped Security Content
**Novee** demonstrated the severity of **Cordyceps** by exploiting **Microsoft's Azure Sentinel** repository. A simple pull request comment allowed anonymous attacker code to run on **Microsoft's** CI, leading to the theft of a non-expiring **GitHub App** key. This was confirmed by **Microsoft's Security Response Center**.
**Azure Sentinel**, **Microsoft's** SIEM, delivers detection rules and automated playbooks directly to customer workspaces. A stolen key could grant persistent write access to this critical security content, enabling attackers to subtly weaken defenses shipped as trusted updates to thousands of organizations.
Similarly, **Google's AI Agent Development Kit** sample repository, a common reference for developers, was found vulnerable. A single pull request could execute code in **Google's** CI, escalating to `roles/owner` on the associated **Google Cloud** project, granting permanent owner-level access. **Google** confirmed and addressed this.
**Apache Doris** also had a comparable path to credential theft, confirmed and fixed by the **Apache Security Team**. These cases highlight a consistent compositional problem across major organizations, undetectable by traditional code scanners.
## Nobody Decided to Trust That Pull Request
The alarming aspect is that no human intentionally configured workflows to trust external input as if it came from a maintainer. This risk accumulated incrementally, often through seemingly reasonable commits. The problem is exacerbated by AI-generated workflows, where critical security decisions might never undergo human audit.

Warden emphasizes that while AI tools offer significant leverage in engineering, they also act as a multiplier for insecurity. AI can rapidly generate CI/CD configurations that reproduce insecure patterns, compounding a single mistake across potentially millions of repositories with no provenance signal. The sheer volume of workflow decisions now outpaces human review capacity.
Existing security systems are ill-equipped for this. **Cordyceps** is not a **CVE**, meaning it doesn't fit into the standard vulnerability enumeration model. Furthermore, **NIST** acknowledged in April 2026 that it can no longer enrich every **CVE** due to a 263% increase in submissions since 2020, signaling a broader challenge in managing multiplying risks.
Fortunately, **Novee** found no evidence of in-the-wild exploitation, and the named vendors have since hardened or patched their systems. However, **Cordyceps** represents a proven, exploitable pattern that remains largely unpatched by default across the industry.
## Close the Boundary, Then Govern What Crosses It
Immediate mitigation steps are crucial:
* Prefer `pull_request` over `pull_request_target` for untrusted contributions.
* Never check out pull request head code within a privileged workflow.
* Pass event data through a quoted environment variable instead of inlining it.
* Default permissions to read-only.
* Pin third-party actions to a commit SHA rather than a mutable tag.
* Gate privileged workflows behind manual approval for first-time contributors.
While these measures address current issues, they don't solve the class of problems. The next vulnerability pattern will also likely consist of individually correct steps that bypass scanners. AI-driven development is rapidly widening this software supply chain governance gap.
The durable solution lies in governing what your build can trust at the source. Components and workflows entering your pipeline must originate from a governed source with verifiable provenance, built from source rather than trusted on faith. A hijacked upstream publishing a poisoned package must fail a check at ingestion.
Human ownership of trust boundaries must operate at the speed of AI-generated decisions, as manual review at the end of the pipeline can no longer keep pace. **Cordyceps** didn't defeat security tools; it bypassed them because each piece functioned as designed. This is the ultimate measurement trap: the 'green' light persisted, while the underlying security guarantee dissolved.
These pipelines weren't exposed because scanners failed; they were exposed because passing the scan didn't equate to being governed. For too long, this critical oversight went unnoticed.