Novee Uncovers Cordyceps: The Latest Threat to CI/CD Pipelines
DevOps.com

Novee Uncovers Cordyceps: The Latest Threat to CI/CD Pipelines

Cordyceps: Exploitable Pattern in Open Source Supply Chain

A newly discovered supply chain security flaw is once again putting a spotlight on inherent weaknesses in CI/CD pipelines and the growing interest among cyberthreat actors to exploit them. Security researchers with Novee, an AI penetration testing platform provider, wrote about Cordyceps, an exploitable pattern in the open source supply chain that can allow attackers to hijack workflows and gain full control of code repositories, including those at dozens of the world’s largest companies, including Microsoft, Google, Python, Apache, and Cloudflare.

In addition, the vulnerability can be exploited by any unauthenticated user, according to Elad Meged, founding engineer and security researcher at Novee. "No org membership or special privileges; a free account is enough to forge approvals, push code, or steal credentials," Meged wrote in a report.

The Novee team scanned 30,000 "high-impact" repositories. 654 were flagged in a single scan and more than 300 were confirmed to be fully exploitable to attacks involving attacker-controlled code execution, credential theft, or supply chain compromise, he wrote.

Perception of CI/CD Needs to Change

Cordyceps, which derives its name from a parasitic fungus known for taking control of its hosts, takes advantage of weaknesses in many CI/CD workflows, which are foundational in modern software development. A key problem is that too often, these workflows are not seen as the security-critical code they are, he wrote.

"Modern software gets built atop the backs of thousands of open-source projects, and many operations are being automated, e.g. tests and CI/CD deployment using GitHub Actions," Meged wrote. "These workflows run shell commands, authenticate to cloud providers, hold signing keys, and publish releases, yet they are treated as 'configuration.' … The result: command injection, privilege escalation, and supply-chain compromise hiding in plain sight in .yml files that no traditional security scanner audits."

Autonomous AI Coding Agents a Worry

Fueling the problem is the growing use of AI coding agents. "They generate CI/CD configuration fast and reproduce the same insecure patterns over and over, so the same mistakes can compound across millions of repositories," he wrote.

In a report last month, Nicolas Ehrman, product marketing manager for Google-owned Wiz, wrote that AI coding assistants also add another dimension: "Autonomous agents with broad access to source code and internal APIs blur identity tracing and create CI/CD risks traditional tooling wasn't built to catch."

In its State of Code Security Report 2025, Wiz found that 35% of enterprises run non-ephemeral self-hosted runners with weaker configurations, exposing organizations to lateral movement attacks across repositories and cloud environments.

"Because pipelines hold privileged access to your entire development ecosystem, they are prime targets for attackers," Ehrman wrote. "A single breach can distribute malicious code downstream, cause data breaches, or disrupt services. Consequently, modern CI/CD security prioritizes risks based on actual exploitability and production impact rather than raw scan volume."

Hiding in Plain Sight

In the case of Cordyceps, a key issue was the vulnerability essentially hides in plain sight. Such multi-step exploit chains can hide from scanners because each step of the chain is working as it's designed, Meged wrote. It's not until each flaw is put together and in order, he wrote.

"SAST and DAST – any tool across an AST suite – won't be able to reason about a cross-workflow finding," he wrote. "Existing tools do pattern-matching on single files, but the most dangerous vulnerabilities we found are multi-step exploit chains. A deterministic scanner checking one workflow file sees valid YAML. An attacker sees a 4-step chain to permanent credentials."

Its exploit chain goes into motion when someone opens a pull request or leaves a comment, with the process treating such input the same as if it came from a maintainer. It then acts on it with the maintainer's permissions. An outsider who has a free GitHub account that uses a project's authority, even for a few minutes, can forge approvals, push malicious code, or steal credentials.

From there, "one compromised workflow in one repository can ripple outward into banks, cloud accounts, AI labs, and end-user devices," Meged wrote.

Using Microsoft, Google as Examples

Novee detailed examples of the reach of the Cordyceps exploit chain among some large companies. Novee researchers found one attack that targeted Microsoft's Azure Sentinel SIEM, noting that a comment on a pull request fired up anonymous attacker code on the vendor's continuous integration and stole a non-expiring GitHub App key. For the supply chain, "persistent write access to the security content Microsoft ships to customers, meaning they could be silently weakened or implanted with malicious infrastructure templates," he wrote.

A pull request ran attacker code in Google's continuous integration process to get unauthenticated control over an associated Google Cloud project, risking the bad actor getting full control over the associated Google Cloud project.

AI Agents vs. AI Agents

Novee was able to uncover the exploit chain by using its own AI agents, highlighting the dual nature of AI in cybersecurity. "Finding these chains requires attacker reasoning across multiple workflows, privilege boundaries, and time," Meged wrote. "That's what Novee's AI agents do, and that's what no scanner, no linter, and no manual review caught at the organizations where we validated vulnerabilities."

Novee's security teams scanned npm, PyPI, Go, and other ecosystems, and the threat was to essentially every step of the build and development pipeline.

Comments

No comments yet. Start the discussion.