
Novee Security has confirmed that a vulnerability pattern its researchers call Cordyceps leaves more than 300 GitHub repositories open to full attacker takeover, including projects run by Microsoft, Google, Apache and Cloudflare.
The firm scanned roughly 30,000 high impact repositories, flagged 654 of them in a single automated pass, and confirmed that more than 300 were fully exploitable through attacker controlled code execution, credential theft or outright supply chain compromise.
Researchers named the pattern after the parasitic fungus known for slowly taking over its host from the inside, since the flaw burrows into software development pipelines in a similar way. At the center of the problem are weak CI/CD configurations that grant pull requests more permissions than they should ever have.
How Attackers Get In
The flaw does not sit inside one file or one careless line of code. It exists in how separate workflows interact with each other, where a low privilege workflow passes its output into a higher privilege workflow whose token can then authenticate into a cloud provider with owner level access. Each step looks harmless on its own, and the real danger only shows up once the full chain is traced from end to end across a boundary nobody was watching.
Elad Meged, founding engineer and security researcher at Novee Security, said the barrier to entry is unusually low. “The flaw is exploitable by any unauthenticated user,” he said. “No organization membership or special privileges are required, [since] a free GitHub account is enough to forge approvals, push code or steal credentials.”
Who Is Affected?
On Microsoft’s Azure Sentinel repository, a single comment on a pull request allowed anonymous attacker code to run on Microsoft’s build infrastructure and steal a non-expiring GitHub App key. On Google’s AI Agent Development Kit, a pull request could execute attacker code on Google’s own CI system and hand over complete authority of a Google Cloud repository.
Apache’s Doris project had two separate zero click paths, where a single comment on any pull request, including a forked one, could run attacker code and pull out hard coded CI credentials or a token with full write access. Cloudflare’s Workers SDK could be triggered through a crafted branch name that ran arbitrary commands on Cloudflare’s CI runners, and the Python Software Foundation’s Black project had a flaw where one pull request could steal its automation token and use it to approve future pull requests.
AI Coding Tools Are Spreading the Pattern
Researchers said one of the more troubling parts of the discovery is the role AI coding agents play in spreading the flaw, since developers increasingly lean on these tools to generate CI/CD configuration files quickly, and the tools keep reproducing the same insecure patterns.
With millions of repositories built on similar automation, the firm expects the pattern to keep resurfacing across new projects rather than fade out on its own.
What Happens Next
Novee said fixes have already been confirmed at Microsoft, Google, Apache, Cloudflare and the Python Software Foundation. However, the company noted that millions of other repositories could carry the same underlying weakness. The firm is advising security teams to audit every GitHub Actions workflow for untrusted input feeding into shell commands, check where privilege boundaries sit between workflows, and start treating CI/CD configuration as security critical code rather than routine automation scaffolding.
For organizations whose software depends on any of the affected projects, the guidance from researchers is to review upstream changelogs, apply patches without delay, and treat any pipeline that touches outside contributions with the same scrutiny given to the code it builds.
