Cordyceps CI/CD Flaws Expose 300+ GitHub Repositories to Supply-Chain Attacks
Cybersecurity researchers have flagged a new class of CI/CD workflow vulnerabilities that allow attackers to hijack workflows and compromise open source chains.
A “useful key pattern” is coded Cordyceps by Novee Security. The issue could allow full-fledged attackers to take control of the repositories of many large organizations around the world, including Microsoft, Google, Apache, and Cloudflare.
“This flaw can be exploited by any unauthorized user,” said Elad Meged, co-founder and security researcher at Novee Security. “There are no organization memberships or special privileges; a free account is enough to perform authorizations, push code, or steal information.”
A penetration testing company’s scan of nearly 30,000 high-impact repositories revealed more than 300 were fully exploitable, allowing attacker-controlled code execution, data theft, and supply chain mismanagement, which could have serious downstream impacts.
The crux of the problem comes down to a weak CI/CD configuration that gives pull requests (PRs) more permissions than they should have. PRs are proposals for merging code changes from a single branch into a larger project. However, because a trusted PR can trigger a profitable workflow, it can open the door to injection molding, privilege escalation, and supply chain deregulation.
“This is a supply chain vulnerability in the open source pipelines of the foundation that the entire industry runs on, and the kind of problem that is hidden in scanners because, technically, each piece works the way it’s designed,” Novoe explained. “The workflow does what it’s told. The risk is only in the design – untrusted data that crosses a trust boundary that no one audits.”
In Microsoft’s Azure Sentinel, for example, Novee received a comment about a PR that could use an unknown attacker’s code in Microsoft’s CI and steal an unexpired GitHub application key. In the same case, PR of Google’s AI Agent Development Kit (“adk-samples”) may use the attacker’s code in Google’s CI to gain full authority over the Google Cloud repository.
Other findings are listed below –
- Apache Doris, where two zero-click attacks cause a single comment on any PR or forked PR to execute the attacker’s code and issue hard-coded CI credentials or a token with full write permissions.
- Cloudflare Workers SDK, where a PR with a built-in branch name can execute arbitrary commands on Cloudflare’s CI workers
- The Python Software Foundation’s Black, where a single pull request from anyone can run attacker code on Black’s build systems and steal a default token, which can be used to authorize pull requests.
Following responsible disclosure, both Microsoft and Google have confirmed the impact, while Cloudflare, Python, and Apache have implemented fixes and patches, respectively.
“The nature of agent code means that these CI/CD vulnerabilities are reproduced continuously, at scale, ‘infecting’ repositories in large numbers,” Meged said. “Because anonymous users can use them to gain control of the software supply chain, we like to think of it as ‘rooting’ the repositories of the world’s largest companies, quietly controlling the workflow.”
