How can organizations mitigate the risks associated with Cordyceps?

Organizations should audit their CI/CD workflows, secure YAML configurations, and implement robust authentication mechanisms to prevent unauthorized access and potential supply chain attacks.

Cordyceps Vulnerabilities Threaten Over 300 GitHub Repositories

Q: Which organizations are affected by the Cordyceps vulnerabilities?

Major organizations such as Microsoft, Google, Apache, Cloudflare, and the Python Software Foundation have repositories impacted by these vulnerabilities.

Novee's discovery of systemic flaws in GitHub Actions exposes numerous repositories to potential hijacking, highlighting critical security gaps in CI/CD pipelines.

Published: June 24, 2026

Share this on:

Executive Summary

In June 2026, cybersecurity firm Novee identified a systemic class of vulnerabilities, dubbed 'Cordyceps,' within GitHub Actions workflows. These flaws enable unauthenticated attackers to hijack continuous integration and continuous deployment (CI/CD) pipelines by exploiting insecure configurations in YAML files. The vulnerabilities affect repositories from major organizations, including Microsoft, Google, Apache, Cloudflare, and the Python Software Foundation, potentially compromising software supply chains and exposing sensitive credentials. (securityweek.com)

This incident underscores the escalating risks associated with CI/CD pipeline security, especially as AI-driven coding tools proliferate. Organizations must prioritize securing their development workflows to prevent similar supply chain attacks, which are becoming increasingly sophisticated and widespread. (mallory.ai)

Why This Matters Now

The Cordyceps vulnerabilities highlight the urgent need for organizations to audit and secure their CI/CD pipelines, as attackers increasingly target these workflows to infiltrate software supply chains. Immediate action is required to mitigate potential breaches and protect sensitive data.

Attack Path Analysis

Attackers exploited vulnerabilities in CI/CD workflows to inject malicious code, gaining unauthorized access to repositories. They escalated privileges by manipulating pipeline configurations, enabling broader access. Lateral movement occurred as attackers accessed interconnected repositories and services. Command and control were established through compromised build processes, allowing remote execution. Exfiltration involved extracting sensitive data from repositories. The impact included potential distribution of malicious code to end-users.

Kill Chain Progression

Initial Compromise

High

Privilege Escalation

Medium

Lateral Movement

Medium

Command & Control

Medium

Exfiltration

Medium

Impact

High

Initial Compromise

Description

Attackers exploited vulnerabilities in CI/CD workflows to inject malicious code, gaining unauthorized access to repositories.

Confidence:

High

MITRE ATT&CK® Techniques

Execution

T1677

Poisoned Pipeline Execution

Initial Access

T1195.001

Compromise Software Dependencies and Development Tools

Credential Access

T1552

Unsecured Credentials

Execution

T1059

Command and Scripting Interpreter

Defense Evasion

T1070.006

Timestomp

Persistence

T1098

Account Manipulation

Initial Access

T1078

Valid Accounts

Potential Compliance Exposure

Mapping incident impact across multiple compliance frameworks.

PCI DSS 4.0 – Change Control Processes

Control ID: 6.4.1

The exploitation of CI/CD pipeline vulnerabilities indicates inadequate change control processes, potentially leading to unauthorized code changes and compromising the integrity of the software development lifecycle.

NYDFS 23 NYCRR 500 – Cybersecurity Policy

Control ID: 500.03

The incident reveals deficiencies in the organization's cybersecurity policy, particularly in managing and securing CI/CD pipelines, which are critical components of the software development process.

DORA – ICT Risk Management Framework

Control ID: Article 5

The attack highlights weaknesses in the organization's ICT risk management framework, emphasizing the need for robust controls to protect against supply chain attacks targeting development tools and processes.

CISA ZTMM 2.0 – Identity and Access Management

Control ID: 3.1

The compromise of CI/CD pipelines suggests insufficient identity and access management controls, allowing unauthorized access and manipulation of critical development resources.

NIS2 Directive – Security Measures

Control ID: Article 21

The incident underscores the necessity for implementing appropriate technical and organizational measures to manage risks posed to the security of network and information systems, including those involved in software development.

Sector Implications

Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.

Computer Software/Engineering

Direct exposure to Cordyceps CI/CD vulnerabilities affecting GitHub repositories, compromising software development pipelines and supply-chain integrity at major organizations.

Information Technology/IT

Critical risk from supply-chain attacks targeting CI/CD workflows, requiring enhanced zero trust segmentation and egress security controls for development infrastructure.

Financial Services

High-value target for supply-chain compromise through CI/CD exploitation, demanding strict compliance controls and threat detection for development and deployment processes.

Computer/Network Security

Paramount concern as security vendors face reputational damage from supply-chain attacks, necessitating comprehensive fabric-based security and anomaly detection capabilities.

Sources

Cordyceps CI/CD Flaws Expose 300+ GitHub Repositories to Supply-Chain Attackshttps://thehackernews.com/2026/06/cordyceps-cicd-flaws-expose-300-github.html
Verified

Exploitable CI/CD Vulnerabilities Expose Millions of Repositories to Hijackinghttps://www.securityweek.com/exploitable-ci-cd-vulnerabilities-expose-millions-of-repositories-to-hijacking/

Verified

GitHub Actions supply chain attack spotlights CI/CD riskshttps://www.techtarget.com/searchitoperations/news/366621078/GitHub-Actions-supply-chain-attack-spotlights-CI-CD-risks

Verified

Frequently Asked Questions

Cordyceps refers to a class of vulnerabilities in GitHub Actions workflows that allow unauthenticated attackers to hijack CI/CD pipelines by exploiting insecure YAML configurations.

Cloud Native Security Fabric Mitigations and ControlsCNSF

Aviatrix Zero Trust CNSF is pertinent to this incident as it would likely limit unauthorized access and lateral movement within CI/CD workflows, thereby reducing the attacker's ability to escalate privileges and exfiltrate sensitive data.

Initial Compromise

Control: Cloud Native Security Fabric (CNSF)

Mitigation: The attacker's ability to gain unauthorized access to repositories would likely be constrained, reducing the risk of initial compromise.

Privilege Escalation

Control: Zero Trust Segmentation

Mitigation: The attacker's ability to escalate privileges by manipulating pipeline configurations would likely be constrained, reducing the risk of broader access.

Lateral Movement

Control: East-West Traffic Security

Mitigation: The attacker's ability to move laterally between interconnected repositories and services would likely be constrained, reducing the risk of further compromise.

Command & Control

Control: Multicloud Visibility & Control

Mitigation: The attacker's ability to establish command and control through compromised build processes would likely be constrained, reducing the risk of remote execution.

Exfiltration

Control: Egress Security & Policy Enforcement

Mitigation: The attacker's ability to exfiltrate sensitive data from repositories would likely be constrained, reducing the risk of data loss.

Impact (Mitigations)

The potential distribution of malicious code to end-users would likely be constrained, reducing the risk of widespread impact.

Impact at a Glance

Affected Business Functions

Software Development
Continuous Integration/Continuous Deployment (CI/CD)
Version Control Systems

Operational Disruption

Estimated downtime: 7 days

Financial Impact

Estimated loss: $500,000

Data Exposure

Potential exposure of source code, build artifacts, and CI/CD credentials.

Recommended Actions

• Implement Zero Trust Segmentation to restrict access between CI/CD components and repositories.
• Enforce Egress Security & Policy Enforcement to monitor and control outbound traffic from build environments.
• Utilize Threat Detection & Anomaly Response to identify and respond to unusual activities within CI/CD pipelines.
• Apply Inline IPS (Suricata) to detect and prevent malicious code injections in real-time.
• Enhance Multicloud Visibility & Control to maintain oversight across all cloud environments and services.

Secure the Paths Between Cloud Workloads

A cloud-native security fabric that enforces Zero Trust across workload communication—reducing attack paths, compliance risk, and operational complexity.

Stop Advanced Threats Get a Free Workload Attack Path Assessment Under Active Attack?

Cordyceps Vulnerabilities Threaten Over 300 GitHub Repositories

Executive Summary

Why This Matters Now

Attack Path Analysis

Kill Chain Progression

Initial Compromise

Description

MITRE ATT&CK® Techniques

Poisoned Pipeline Execution

Compromise Software Dependencies and Development Tools

Unsecured Credentials

Command and Scripting Interpreter

Timestomp

Account Manipulation

Valid Accounts

Potential Compliance Exposure

PCI DSS 4.0 – Change Control Processes

NYDFS 23 NYCRR 500 – Cybersecurity Policy

DORA – ICT Risk Management Framework

CISA ZTMM 2.0 – Identity and Access Management

NIS2 Directive – Security Measures

Sector Implications

Computer Software/Engineering

Information Technology/IT

Financial Services

Computer/Network Security

Sources

Frequently Asked Questions

Cloud Native Security Fabric Mitigations and ControlsCNSF

Impact at a Glance

Affected Business Functions

Recommended Actions

Key Takeaways & Next Steps

Secure the Paths Between Cloud Workloads