Cordyceps CI/CD Flaws Expose 300+ GitHub Repositories to Supply-Chain Attacks

Novee Security researchers identified a critical exploitable pattern in Continuous Integration/Continuous Deployment (CI/CD) workflows, codenamed Cordyceps, that can compromise open-source supply chains. This vulnerability allows attackers to hijack workflows and gain full control of repositories, potentially affecting over 300 GitHub repositories at major organizations including Microsoft, Google, and Apache. The researchers demonstrated how a malicious actor could inject unauthorized code into a project's build process, which would then be automatically distributed to users. The attack vector exploits the trust inherent in automated build and deployment pipelines, where code changes are automatically tested and merged without sufficient human oversight. Novee Security disclosed that the vulnerability was found in a specific configuration of a popular CI/CD tool, although they did not name the tool publicly to prevent immediate exploitation. They have provided detailed remediation steps to affected organizations and are working with GitHub to address the broader implications for the open-source ecosystem. The discovery highlights the growing sophistication of supply-chain attacks targeting the software development lifecycle.