The Cordyceps Pattern: Unmasking Systemic Supply Chain Vulnerabilities in CI/CD Workflows

A critical security pattern, colloquially dubbed “Cordyceps,” has surfaced, revealing a profound architectural weakness in modern CI/CD pipelines. This is not merely a collection of isolated bugs; it is a systemic vulnerability that allows unauthenticated attackers to hijack Git-based workflows. By doing so, they can seize control of the software artifacts produced by these pipelines, effectively poisoning the software supply chain at its source.

The core issue does not stem from a singular flaw within GitHub Actions or any specific vendor tool. Instead, it represents a class of insecure workflow compositions. When command injection, broken authentication logic, artifact-poisoning chains, and cross-workflow privilege escalation converge within YAML configurations, they create multi-step exploit paths. These paths are sophisticated enough that an attacker can trigger them using nothing more than a standard, free GitHub account.

In a massive security audit, Novee’s research scanned approximately 30,000 high-impact repositories. The findings were alarming: 654 instances of this pattern were flagged, with over 300 validated as fully exploitable attack chains. These vulnerabilities have since been addressed by industry leaders, including Microsoft, Google, Apache, Cloudflare, and the Python Software Foundation.

The Architectural Root Cause: Configuration vs. Code

The fundamental driver behind Cordyceps is a dangerous mental model: the treatment of CI/CD workflows as mere “configuration” rather than executable code. While GitHub Actions files perform high-stakes operations—executing shell commands, running complex scripts, managing sensitive tokens, and publishing production releases—they rarely undergo the rigorous security scrutiny applied to application source code.

This discrepancy creates a “trust boundary” violation. A seemingly benign workflow step might process an output, artifact, or environment variable that carries untrusted data. When this data is passed into a subsequent, higher-privilege workflow, the attacker achieves lateral movement within the CI/CD environment. Individually, these steps appear harmless; collectively, they form a chain capable of exfiltrating credentials, forging approvals, or pushing malicious code to downstream package and container registries.

Real-World Impact: Case Studies in Exploitation

Novee’s technical disclosures provided several high-fidelity examples of how these chains operate in the wild:

• Microsoft: In an Azure Sentinel content pipeline, an attacker could use a Pull Request (PR) comment to execute arbitrary code. This allowed for the theft of a non-expiring GitHub App key, granting persistent write access to security content deployed into customer workspaces.
• Google: Samples within the Google AI Agent Development Kit contained a path where a single PR could trigger CI execution with owner-level permissions within an associated Google Cloud project.
• Apache: The Apache Doris repository was found to have two independent, “zero-click” attack paths that could exfiltrate CI credentials and steal tokens with broad write permissions across the repository.
• Cloudflare: The Workers SDK contained a vulnerability where specially crafted PR branch names could trigger arbitrary command execution on CI runners.
• Python Software Foundation: In the Black project, a malicious PR could hijack the build system to steal automation tokens, allowing the attacker to approve their own pull requests and potentially distribute tainted releases to millions of users.

Why Traditional Security Tools Fail

Legacy security tooling is largely blind to the Cordyceps pattern. Traditional Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST) tools typically operate at the level of a single file or a single process. They are excellent at validating YAML syntax or flagging known insecure patterns, but they lack the “contextual intelligence” to reason about cross-workflow data flows.

These tools cannot determine if an untrusted external input—such as a PR title or a comment—can traverse multiple, seemingly disconnected workflows to eventually reach a high-privilege credential. Detecting this class of vulnerability requires external attack validation: a methodology that simulates end-to-end attacker behavior to prove exploitability. This is the precise approach Novee employed by combining large-scale scanning with AI-driven validation logic.

The Agentic Infection Model

The risk of Cordyceps is being amplified by the rapid adoption of AI-driven development. As AI coding agents and automated templates become standard, they produce CI/CD configurations at an exponential rate. If these templates contain underlying insecure patterns, the vulnerability is propagated instantly across thousands of projects.

This creates what can be described as an “agentic infection model”: small, repeatable configuration errors become a massive, systemic risk as they scale through the open-source ecosystem.

Mitigation Strategies for Modern DevSecOps

To defend against Cordyceps, organizations must transition to a “Workflows-as-Code” security posture. This requires several critical defensive layers:

1. Enforce Least Privilege: Strictly limit the scope of GitHub tokens and service account permissions.
2. Input Sanitization: Treat all external inputs—including PR titles, branch names, and comments—as untrusted and sanitize them before use in shell commands.
3. Isolation: Isolate untrusted, event-driven workflows from secrets and high-privilege outputs.
4. End-to-End Testing: Implement security testing that specifically simulates malicious PRs and unexpected user inputs to validate workflow integrity.

Ultimately, the Cordyceps phenomenon serves as a definitive reminder: supply chain security no longer begins at the build stage—it begins in the YAML files of your CI/CD pipelines. Defending these pipelines demands the same level of rigor, testing, and scrutiny applied to the application code itself.