Cordyceps CI/CD vulnerability exposes supply chain risks across major tech organizations
By
Meredith Shubel
Summary
Security research from Novee Security reveals a CI/CD weakness called "Cordyceps" that allows unauthenticated GitHub users to hijack trusted workflows and compromise open-source supply chains. The vulnerability was found across 654 repositories from major organizations including Microsoft, Google, Apache, Python, and Cloudflare, with 300 confirmed as fully exploitable. The article explores why standard code review processes miss CI/CD risks and how development teams need to rethink their pipeline security.
Source
bskyCordyceps CI/CD vulnerability exposes supply chain risks across major tech organizationsthenewstack.ioKey quotes
· 3 pulledDubbed 'Cordyceps' after the parasitic fungus, the weakness allegedly appeared across dozens of organizations, both small and large, including Microsoft, Google, Apache, Python, and Cloudflare.
After scanning roughly 30,000 high-impact repositories, the penetration-testing company says it flagged 654 repositories as potentially exploitable and confirmed 300 as full
Security researchers weigh in on why normal code review misses CI/CD risks and how developers should rethink pipelines.
You might also wanna read
Software Supply Chain Attacks: Exploiting Trust Assumptions in Modern Development
The article examines the growing threat of software supply chain attacks that exploit fundamental trust assumptions in modern development wo
GitHub Actions workflows identified as common weak link in open source supply chain attacks
This article analyzes a series of high-profile open source supply chain security incidents from the past 18 months, tracing them back to Git
Trivy GitHub Actions Compromised in Supply Chain Attack, Exposing CI/CD Secrets
A new supply chain attack targeting Trivy's GitHub Actions has been disclosed, where attackers compromised the security scanner by force-upd
Supply Chain Attacks on Open-Source Software: Case Study of Malicious Pull Request Attempts
The article discusses recent supply chain attacks on open-source software projects like LiteLLM and axios, with a specific case study of att
Trivy Vulnerability Scanner Compromised in Supply Chain Attack That Harvested CI/CD Credentials
The article details a sophisticated supply chain attack on Aqua Security's Trivy vulnerability scanner in March 2026, where attackers inject
Config File Auto-Execution Creates Supply Chain Security Blindspot Across IDEs and Package Managers
This article exposes a critical supply chain security blindspot where ordinary-looking configuration files in code repositories can automati

Comments
Sign in to join the conversation.
No comments yet. Be the first.