Cordyceps: AI Coding Tools Are Spreading a CI/CD Flaw

Novee Security disclosed Cordyceps yesterday, and the scope is significant. Named after the parasitic fungus that hijacks its host, Cordyceps is a class of vulnerabilities in GitHub Actions workflows that lets anyone with a free GitHub account execute code on CI infrastructure, steal long-lived credentials, and poison the software shipped to downstream users. Microsoft, Google, Apache, Cloudflare, and the Python Software Foundation all had exploitable instances.

The broader story, though, is about AI coding agents. Novee’s research argues this isn’t just a collection of individual misconfigurations. It’s a structural pattern that AI-assisted development is actively reproducing at scale.

What the Research Found

Novee scanned roughly 30,000 high-impact repositories across the npm, PyPI, crates, and Go ecosystems. Of those, 654 had Cordyceps-class vulnerabilities in initial screening. More than 300 were confirmed fully exploitable.

The common thread is a trust boundary failure in GitHub Actions YAML. Certain event triggers, including pull_request_target, workflow_run, and issue_comment, run with elevated privileges even when initiated by an external contributor. If those workflows pass untrusted data (the PR title, the comment body, a branch name) into a shell command or a privileged downstream job without sanitisation, the result is command injection with access to the repository’s full secret store.

Every attack Novee demonstrated required only a free GitHub account. No organisational membership, no prior access, no phishing required.

The Specific Cases

Microsoft’s Azure Sentinel repository had a workflow where an anonymous pull request comment triggered code execution with access to a non-expiring GitHub App key. That key granted persistent write access to security detection content shipped directly to customer workspaces. The Sentinel team fixed it after Novee’s disclosure.

Google’s adk-samples repository for the AI Agent Development Kit had a flaw where a single malicious pull request could escalate to full owner role on the associated Google Cloud project. An attacker with that role could modify the AI samples that developers clone and run, injecting malicious agent code upstream.

The Python Software Foundation’s Black formatter is downloaded around 130 million times a month. The exploitable workflow there would have let an attacker steal the project’s automation token, forge pull request approvals, and open a downstream path to poisoning official Docker images.

Apache Doris and Cloudflare’s Workers SDK had similar credential theft paths.

The AI Coding Agent Multiplier

Novee’s disclosure puts a specific figure on the amplification effect. AI coding agents are generating GitHub Actions configuration files faster than human review can keep up with, and they reproduce the same structural patterns regardless of whether those patterns are secure. A single insecure template, once embedded in a model’s training data or a code suggestion corpus, gets propagated across repositories that have never had a human author touch that particular file.

This isn’t unique to Cordyceps. It’s the same dynamic that drove slopsquatting and the various npm supply chain cases involving AI-hallucinated package names. The difference here is that the vulnerability class is in infrastructure-level configuration, not application code, so the blast radius per compromised repository is considerably larger.

What Defenders Need to Do

The core fix is treating GitHub Actions YAML files as security-critical code, not configuration. A few concrete steps for teams reviewing their exposure now:

Audit for dangerous trigger combinations. Any workflow using pull_request_target or workflow_run that also executes shell commands containing ${{ github.event... }} data is worth examining carefully. The GitHub Actions security hardening guide flags these patterns specifically.

Restrict default permissions. Set permissions: read-all at the workflow level and grant elevated permissions only to the specific jobs that need them.

Pin third-party actions. An action referenced as uses: some-org/some-action@v2 is a mutable pointer. A compromised release could swap in malicious code. Pin to a full commit SHA.

Review AI-generated workflows. If your team uses Copilot, Cursor, or similar tools to generate Actions configuration, audit those files with the same scrutiny you’d apply to code. The tools do not yet reliably produce secure workflow patterns in complex privilege-separation scenarios.

Novee has not published a full list of affected repositories. The research indicates that the 300-plus confirmed exploits represent a sample from the top tier of high-traffic packages. The actual count across all of GitHub is assessed to be substantially higher.

References

• SecurityWeek — Exploitable CI/CD Vulnerabilities Expose Millions of Repositories to Hijacking
• HackRead — Cordyceps CI/CD Flaw Exposes Microsoft, Google, Apache Repos to Pipeline Hijacking
• Dark Reading — Cordyceps: Malicious Pull Requests Threaten CI/CD Workflows
• CyberSecurityNews — Cordyceps Supply Chain Flaw Impacting Code Repositories at Thousands of Organizations