Cordyceps CI/CD Flaws Expose 300+ GitHub Repositories to Supply-Chain Attacks
Cybersecurity researchers have uncovered a critical vulnerability in CI/CD (Continuous Integration/Continuous Deployment) workflows that allows attackers to hijack open-source projects and compromise software supply chains. The issue, dubbed “Cordyceps” by Novee Security, has been found in the workflows of dozens of the world’s largest organizations, including Microsoft, Google, Apache, and many others.
The Cordyceps Vulnerability: Hijacking CI/CD Pipelines
Cordyceps exploits weaknesses in how many CI/CD systems handle environmental variables and secrets. Attackers can inject malicious code into these variables, which then get executed as part of the build and deployment process. This gives them full control over the affected repositories, allowing them to insert backdoors, steal sensitive data, and launch further attacks down the supply chain.
- Widespread Impact: Novee’s research identified over 300 GitHub repositories belonging to major enterprises and open-source projects that are vulnerable to Cordyceps attacks.
- Ease of Exploitation: The flaw is easy to exploit, requiring minimal technical expertise. Attackers can automate scans to identify vulnerable CI/CD setups and deploy their payloads at scale.
- Difficulty to Detect: Cordyceps-based attacks leave few traces, making them extremely difficult for security teams to detect and investigate.
Implications for Enterprise Security
The Cordyceps vulnerability exposes a critical blind spot in how many organizations manage their software development lifecycle. Compromised CI/CD workflows can become a gateway for widespread supply chain attacks, putting sensitive data, critical infrastructure, and entire business operations at risk.
“This is a wakeup call for enterprises relying on open-source components and CI/CD automation,” says Samir Jain, Principal Security Architect at Novee. “Attackers can now hijack the very tools meant to ensure software integrity and use them to inject malware into the heart of an organization’s technology stack.”
Mitigating the Cordyceps Threat
To address the Cordyceps vulnerability, security and DevOps teams must take a holistic approach to securing their CI/CD pipelines:
- Audit Environmental Variables: Thoroughly review all environment variables and secrets used in build and deployment workflows. Eliminate unnecessary variables and ensure proper access controls.
- Implement Least-Privilege Access: Grant the minimum required permissions to CI/CD service accounts and automate the rotation of credentials.
- Enforce Code Signing: Implement mandatory code signing to validate the integrity of all artifacts before deployment.
- Enable Workflow Monitoring: Deploy solutions that can detect anomalies and unauthorized changes within CI/CD pipelines in real-time.
- Maintain Immutable Artifact Repositories: Store all build artifacts in a secure, immutable repository to prevent tampering.
“The Cordyceps vulnerability highlights the need for a shift left in DevSecOps,” adds Jain. “Security must be baked into the CI/CD process from the ground up, not bolted on as an afterthought. Only then can organizations truly trust the integrity of their software supply chain.”