GitHub Cordyceps Flaw Let Attackers Reach Microsoft, Google, Cloudflare

Published by James Harris on June 25, 2026June 25, 2026

What You Need to Know

Cordyceps vulnerabilities allowed attackers with free GitHub accounts persistent access to Microsoft, Google, Apache, Cloudflare, and Python Software Foundation.
Vulnerabilities exploited handoffs between CI/CD workflows, passing untrusted external input through low-privilege workflows into elevated-credential workflows undetected.
Scan of 30,000 repositories identified 300 fully exploitable attack chains, indicating widespread exposure across major software ecosystems.
Python Software Foundation’s Black formatter and Google’s AI Agent Development Kit contained exploitable flaws exposing automation tokens and cloud permissions.

A security firm has identified a class of CI/CD pipeline vulnerabilities, named Cordyceps, that gave any attacker with a free GitHub account a viable path to persistent access inside Microsoft, Google, Apache, Cloudflare, and the Python Software Foundation. The issues have been patched, but the mechanics of how they worked deserve attention from anyone who ships software that depends on these ecosystems.

The vulnerabilities lived not in any single workflow file but in the handoff between them. A low-privilege workflow would accept external input, a pull request or a comment, as trusted data, and its output would then flow into a second workflow carrying elevated credentials: cloud provider tokens, package registry keys, signing certificates. Each step passed individual security review cleanly. The full attack chain only became visible when someone traced untrusted data across the entire sequence, which is precisely the kind of analysis most security audits skip. The Python Software Foundation’s Black formatter, with over 130 million downloads, exposed an automation bot token reachable by any pull request. Google’s AI Agent Development Kit carried a flaw that could have handed an attacker owner-level permissions on the associated Google Cloud project. These are not fringe repositories. The attack chain is methodical in the same way state-sponsored intrusions have been: patient, multi-step, and designed to pass through controls that inspect individual components rather than sequences.

A single scan of 30,000 repositories found 300 fully exploitable attack chains. That ratio should recalibrate how organizations think about their exposure surface.

The finding lands at an awkward moment for the software industry’s relationship with automation. GitHub Actions workflows are routinely treated as configuration files rather than as executable security boundaries, a categorization problem that mirrors how smart contract code was dismissed as “just scripts” before on-chain exploits made the stakes obvious. Novee’s researchers flagged a compounding risk that the patches alone cannot address: AI coding assistants are likely to reproduce these vulnerable patterns across new repositories at scale, because the assistants learn from the same codebases that contained the flaws. CISOs who treat workflow files as second-class security artifacts are the primary audience here, and the recommendation from Novee is direct: CI/CD workflow files require the same review rigor applied to application code.

Novee confirmed that none of the identified vulnerabilities were exploited before patches were applied across the affected organizations. Whether that reflects good fortune, effective monitoring, or the relative obscurity of the attack vector before this disclosure is a question the affected organizations are better positioned to answer than outside observers.

Source: Cordyceps flaws let anyone with a free GitHub account hijack CI/CD pipelines at Microsoft, Google, and Apache (cryptopolitan.com)