All Topics
All Topics
Technology
Technology
AI
AI
Business
Business
Entertainment
Entertainment
News
News
Programming
Programming
Security
Security
Science
Science
Design
Design
Environment
Environment
Finance
Finance
Crypto
Crypto
Politics
Politics
Sports
Sports
Education
Education
Gaming
Gaming
Art
Art
Music
Music
Health
Health
Books
Books
Food
Food
Travel
Travel
Personal
Personal
Bluesky
Twitter

Cordyceps CI/CD vulnerability exposes supply chain risks across major tech organizations

By

Meredith Shubel

3h ago· 5 min readenNews

Summary

Security research from Novee Security reveals a CI/CD weakness called "Cordyceps" that allows unauthenticated GitHub users to hijack trusted workflows and compromise open-source supply chains. The vulnerability was found across 654 repositories from major organizations including Microsoft, Google, Apache, Python, and Cloudflare, with 300 confirmed as fully exploitable. The article explores why standard code review processes miss CI/CD risks and how development teams need to rethink their pipeline security.

Source

bskyCordyceps CI/CD vulnerability exposes supply chain risks across major tech organizationsthenewstack.io

Key quotes

· 3 pulled
Dubbed 'Cordyceps' after the parasitic fungus, the weakness allegedly appeared across dozens of organizations, both small and large, including Microsoft, Google, Apache, Python, and Cloudflare.
After scanning roughly 30,000 high-impact repositories, the penetration-testing company says it flagged 654 repositories as potentially exploitable and confirmed 300 as full
Security researchers weigh in on why normal code review misses CI/CD risks and how developers should rethink pipelines.
Snippet from the RSS feed
Security researchers weigh in on why normal code review misses CI/CD risks and how developers should rethink pipelines.

You might also wanna read

Software Supply Chain Attacks: Exploiting Trust Assumptions in Modern Development

The article examines the growing threat of software supply chain attacks that exploit fundamental trust assumptions in modern development wo

blog.trailofbits.com·8mo ago

GitHub Actions workflows identified as common weak link in open source supply chain attacks

This article analyzes a series of high-profile open source supply chain security incidents from the past 18 months, tracing them back to Git

Andrew Nesbitt·2mo ago

Trivy GitHub Actions Compromised in Supply Chain Attack, Exposing CI/CD Secrets

A new supply chain attack targeting Trivy's GitHub Actions has been disclosed, where attackers compromised the security scanner by force-upd

socket.dev·3mo ago

Supply Chain Attacks on Open-Source Software: Case Study of Malicious Pull Request Attempts

The article discusses recent supply chain attacks on open-source software projects like LiteLLM and axios, with a specific case study of att

casco.com·2mo ago

Trivy Vulnerability Scanner Compromised in Supply Chain Attack That Harvested CI/CD Credentials

The article details a sophisticated supply chain attack on Aqua Security's Trivy vulnerability scanner in March 2026, where attackers inject

vaultproof.dev·2mo ago

Config File Auto-Execution Creates Supply Chain Security Blindspot Across IDEs and Package Managers

This article exposes a critical supply chain security blindspot where ordinary-looking configuration files in code repositories can automati

safedep.io·27d ago

Comments

Sign in to join the conversation.

No comments yet. Be the first.