Close Menu

    Stay Ahead with Exclusive Updates!

    Enter your email below and be the first to know what’s happening in the ever-evolving world of technology!

    What's Hot

    Buying World Cup Tickets Online? Scammers Are Already Waiting. Here Is How to Protect Yourself for the Rest of the Tournament.

    July 4, 2026

    Researchers Found an Attack Spreading Through GitHub Like a Parasite. They Named It Cordyceps and It Is Already in 300+ Repositories

    July 4, 2026

    AI Is Now Writing Phishing Emails Good Enough to Fool Your Best Employees. Here Is How to Spot Them

    July 4, 2026
    Facebook X (Twitter) Instagram
    Facebook X (Twitter)
    PhronewsPhronews
    • Home
    • Big Tech & Startups

      Nvidia Has Dominated AI Data Centers for Years. Qualcomm Just Announced It Wants That Market Too. Here Is Whether It Can Win

      July 4, 2026

      Google’s New Smart Speaker Has Gemini Built In and Works With Everything. Here Is Whether It Is Finally Worth Switching From Amazon Echo or Apple HomePod

      July 4, 2026

      IBM Just Broke a Barrier Physicists Said Could Not Be Broken. Its Sub-1-Nanometer Chip Has 100 Billion Transistors and Changes Everything About What AI Hardware Can Do

      July 4, 2026

      The AI Training Bottleneck Just Got a Lot Smaller. Amazon’s New AWS Tools Could Change Who Can Afford to Build Frontier Models

      July 1, 2026

      Tesla Is Teaching Its Self-Driving AI With Millions of Fake Crashes. Here Is Why That Might Make Real Roads Safer

      June 30, 2026
    • Crypto

      Market Collapse: What Happened to NFTs?

      April 23, 2026

      Quantum Computing Advances Force Coinbase and Institutional Custodians to Rethink Crypto Security

      March 8, 2026

      AI Assisted Hacking Groups Target Crypto Firms With Multi-Layered Social Engineering

      February 18, 2026

      Global Crypto Regulations Expand as 2026 Begins With New Data Collection Frameworks and National Laws

      January 16, 2026

      Coinbase Bets on Stablecoin and On-Chain Growth as Key Market Drivers in 2026 Strategy

      January 10, 2026
    • Gadgets & Smart Tech
      Featured

      Google’s New Smart Speaker Has Gemini Built In and Works With Everything. Here Is Whether It Is Finally Worth Switching From Amazon Echo or Apple HomePod

      By fariehanJuly 4, 2026
      Recent

      Google’s New Smart Speaker Has Gemini Built In and Works With Everything. Here Is Whether It Is Finally Worth Switching From Amazon Echo or Apple HomePod

      July 4, 2026

      Tesla Is Teaching Its Self-Driving AI With Millions of Fake Crashes. Here Is Why That Might Make Real Roads Safer

      June 30, 2026

      Apple Just Rebuilt Siri With AI Across Every Device It Makes. WWDC 2026 Was Not a Software Update. It Was a Strategic Repositioning

      June 20, 2026
    • Cybersecurity & Online Safety

      Buying World Cup Tickets Online? Scammers Are Already Waiting. Here Is How to Protect Yourself for the Rest of the Tournament.

      July 4, 2026

      Researchers Found an Attack Spreading Through GitHub Like a Parasite. They Named It Cordyceps and It Is Already in 300+ Repositories

      July 4, 2026

      AI Is Now Writing Phishing Emails Good Enough to Fool Your Best Employees. Here Is How to Spot Them

      July 4, 2026

      Hackers Were Inside Cisco’s SD-WAN for Months Before Anyone Noticed. Now CISA Is Forcing Every Company to Patch It

      July 4, 2026

      Anthropic Says Chinese Rival Alibaba Copied Claude at Scale. Here Is What Model Extraction Actually Means and Why It Matters

      June 30, 2026
    PhronewsPhronews
    Home»Cybersecurity & Online Safety»Researchers Found an Attack Spreading Through GitHub Like a Parasite. They Named It Cordyceps and It Is Already in 300+ Repositories
    Cybersecurity & Online Safety

    Researchers Found an Attack Spreading Through GitHub Like a Parasite. They Named It Cordyceps and It Is Already in 300+ Repositories

    preciousBy preciousJuly 4, 2026No Comments
    Facebook Twitter Pinterest LinkedIn WhatsApp Reddit Tumblr Email
    Share
    Facebook Twitter LinkedIn Pinterest Email
    Photo Credit: Mateusz Slodkowski/SOPA Images/LightRocket via Getty Images

    Novee Security has confirmed that a vulnerability pattern its researchers call Cordyceps leaves more than 300 GitHub repositories open to full attacker takeover, including projects run by Microsoft, Google, Apache and Cloudflare. 

    The firm scanned roughly 30,000 high impact repositories, flagged 654 of them in a single automated pass, and confirmed that more than 300 were fully exploitable through attacker controlled code execution, credential theft or outright supply chain compromise.

    Researchers named the pattern after the parasitic fungus known for slowly taking over its host from the inside, since the flaw burrows into software development pipelines in a similar way. At the center of the problem are weak CI/CD configurations that grant pull requests more permissions than they should ever have.

    How Attackers Get In

    The flaw does not sit inside one file or one careless line of code. It exists in how separate workflows interact with each other, where a low privilege workflow passes its output into a higher privilege workflow whose token can then authenticate into a cloud provider with owner level access. Each step looks harmless on its own, and the real danger only shows up once the full chain is traced from end to end across a boundary nobody was watching.

    Elad Meged, founding engineer and security researcher at Novee Security, said the barrier to entry is unusually low. “The flaw is exploitable by any unauthenticated user,” he said. “No organization membership or special privileges are required, [since] a free GitHub account is enough to forge approvals, push code or steal credentials.”

    Who Is Affected?

    On Microsoft’s Azure Sentinel repository, a single comment on a pull request allowed anonymous attacker code to run on Microsoft’s build infrastructure and steal a non-expiring GitHub App key. On Google’s AI Agent Development Kit, a pull request could execute attacker code on Google’s own CI system and hand over complete authority of a Google Cloud repository.

    Apache’s Doris project had two separate zero click paths, where a single comment on any pull request, including a forked one, could run attacker code and pull out hard coded CI credentials or a token with full write access. Cloudflare’s Workers SDK could be triggered through a crafted branch name that ran arbitrary commands on Cloudflare’s CI runners, and the Python Software Foundation’s Black project had a flaw where one pull request could steal its automation token and use it to approve future pull requests.

    AI Coding Tools Are Spreading the Pattern

    Researchers said one of the more troubling parts of the discovery is the role AI coding agents play in spreading the flaw, since developers increasingly lean on these tools to generate CI/CD configuration files quickly, and the tools keep reproducing the same insecure patterns. 

    With millions of repositories built on similar automation, the firm expects the pattern to keep resurfacing across new projects rather than fade out on its own.

    What Happens Next

    Novee said fixes have already been confirmed at Microsoft, Google, Apache, Cloudflare and the Python Software Foundation. However, the company noted that millions of other repositories could carry the same underlying weakness. The firm is advising security teams to audit every GitHub Actions workflow for untrusted input feeding into shell commands, check where privilege boundaries sit between workflows, and start treating CI/CD configuration as security critical code rather than routine automation scaffolding.

    For organizations whose software depends on any of the affected projects, the guidance from researchers is to review upstream changelogs, apply patches without delay, and treat any pipeline that touches outside contributions with the same scrutiny given to the code it builds.

    Apache CI/CD Security Cloudflare Cordyceps DevSecOps GitHub Google Microsoft Novee Security supply chain attack
    Share. Facebook Twitter Pinterest LinkedIn Tumblr Telegram Email
    precious
    • LinkedIn

    I’m Precious Amusat, Phronews’ Content Writer. I conduct in-depth research and write on the latest developments in the tech industry, including trends in big tech, startups, cybersecurity, artificial intelligence and their global impacts. When I’m off the clock, you’ll find me cheering on women’s footy, curled up with a romance novel, or binge-watching crime thrillers.

    Related Posts

    Buying World Cup Tickets Online? Scammers Are Already Waiting. Here Is How to Protect Yourself for the Rest of the Tournament.

    July 4, 2026

    AI Is Now Writing Phishing Emails Good Enough to Fool Your Best Employees. Here Is How to Spot Them

    July 4, 2026

    Hackers Were Inside Cisco’s SD-WAN for Months Before Anyone Noticed. Now CISA Is Forcing Every Company to Patch It

    July 4, 2026

    Comments are closed.

    Top Posts

    Coinbase responds to hack: customer impact and official statement

    May 22, 2025

    Anthropic Will Use Claude User Chats For Data Training

    October 16, 2025

    Cursor AI Hits 1 Million Daily Users. Why Developers Are Switching to This Coding Tool

    March 23, 2026

    MIT Study Reveals ChatGPT Impairs Brain Activity & Thinking

    June 29, 2025
    Don't Miss
    Cybersecurity & Online Safety

    Buying World Cup Tickets Online? Scammers Are Already Waiting. Here Is How to Protect Yourself for the Rest of the Tournament.

    By preciousJuly 4, 2026

    More than 270,000 login credentials tied to World Cup ticketing and fan platforms have already…

    Researchers Found an Attack Spreading Through GitHub Like a Parasite. They Named It Cordyceps and It Is Already in 300+ Repositories

    July 4, 2026

    AI Is Now Writing Phishing Emails Good Enough to Fool Your Best Employees. Here Is How to Spot Them

    July 4, 2026

    Nvidia Has Dominated AI Data Centers for Years. Qualcomm Just Announced It Wants That Market Too. Here Is Whether It Can Win

    July 4, 2026
    Stay In Touch
    • Facebook
    • Twitter
    About Us
    About Us

    Evolving from Phronesis News, Phronews brings deep insight and smart analysis to the world of technology. Stay informed, stay ahead, and navigate tech with wisdom.
    We're accepting new partnerships right now.

    Email Us: info@phronews.com

    Facebook X (Twitter) Pinterest YouTube
    Our Picks
    Most Popular

    Coinbase responds to hack: customer impact and official statement

    May 22, 2025

    Anthropic Will Use Claude User Chats For Data Training

    October 16, 2025

    Cursor AI Hits 1 Million Daily Users. Why Developers Are Switching to This Coding Tool

    March 23, 2026
    © 2025. Phronews.
    • Home
    • About Us
    • Get In Touch
    • Privacy Policy
    • Terms and Conditions

    Type above and press Enter to search. Press Esc to cancel.