Researchers Confirm 300+ Exploitable Attack Chains Across Microsoft, Google, Apache, and Cloudflare

1. 30,000 Repositories scanned by Novee across npm, PyPI, crates, and Go ecosystems

2. 654 Flagged in a single automated scan pass

3. 300+ Confirmed fully exploitable attack chains, all now patched

4. $0 Cost of a GitHub account needed to trigger any of the identified exploits

Novee Security published research today on a systemic class of CI/CD vulnerabilities they named Cordyceps, after the parasitic fungus that hijacks its host. The name fits. What Novee documented is a pattern where GitHub Actions workflows are composed in ways that allow untrusted external input — a pull request comment, a branch name, a submitted file — to travel across trust boundaries between workflows until it reaches a step with high-privilege credentials. At that point the attacker has access to secrets, signing keys, cloud provider roles, and the ability to push code or artifacts to downstream consumers.

Novee scanned roughly 30,000 high-impact repositories across the npm, PyPI, crates, and Go ecosystems. Their automated scan flagged 654 repositories. They then validated the findings manually and confirmed more than 300 were fully exploitable. The affected organizations span some of the largest and most widely-depended-on technology infrastructure in the world: Microsoft, Google, Apache, Cloudflare, and the Python Software Foundation. All confirmed vulnerabilities have since been reported and patched.

The attack is accessible to anyone. A free GitHub account is sufficient to trigger every exploit chain Novee identified. No organizational membership is required. No special privileges are needed before the chain begins. The attacker just needs to find a repository with the right workflow composition and submit a pull request or leave a comment.

How It Works

Standard security scanners evaluate workflows one file at a time. They check YAML syntax, flag known insecure patterns, and move on. Cordyceps exists specifically in the space between files — in how one workflow's output becomes another workflow's input, and in whether anyone audited that handoff for trust boundary violations.

A typical exploit chain runs in four steps. A low-privilege workflow processes external input — a PR comment or a submitted artifact — and treats it as trusted. That input carries attacker-controlled data into the workflow's output. A second, higher-privilege workflow picks up that output and uses it without re-validating provenance. The higher-privilege workflow then authenticates to a cloud provider, a package registry, or a signing service using credentials that are now effectively under the attacker's control.

Generalized Cordyceps Exploit Chain

1. Step 1 → Attacker submits PR comment or malicious artifact to a public repository

2. Step 2 → Low-privilege workflow processes external input without sanitization

3. Step 3 → Tainted output crosses trust boundary into high-privilege workflow

4. Step 4 → High-privilege workflow authenticates to cloud provider or registry → credential theft / code injection

Novee's description of why existing tooling misses this is worth quoting directly:

"A deterministic scanner reads valid YAML and moves on; an attacker sees a four-step path to permanent cloud credentials."

Novee Security

Cordyceps Research, June 23, 2026

That gap in perception — between what a scanner sees and what an attacker sees — is the entire premise of the attack. Every individual step in the chain can pass a security review. The vulnerability only materializes when you trace the full chain across workflow boundaries that no single-file scanner ever connects.

What Novee Found

Microsoft — Azure Sentinel

A PR comment was enough to steal a non-expiring GitHub App key

In Microsoft's Azure Sentinel content pipeline, an anonymous attacker could leave a pull request comment that triggered attacker code execution on Microsoft's CI infrastructure. The result was theft of a non-expiring GitHub App key that would have provided persistent write access to security detection content shipped directly into customer Sentinel workspaces. The implications run downstream to every organization running Sentinel with Microsoft-distributed detection rules.

Google — AI Agent Development Kit

A single pull request granted roles/owner on the associated Google Cloud project

Google's AI Agent Development Kit — actively used by organizations building production AI agent infrastructure — had a workflow composition flaw where a single submitted pull request would give an attacker roles/owner access on the associated Google Cloud project. That is the highest permission level available. There is no higher privilege to escalate to from there.

Apache — Doris

Two zero-click attack paths, both leading to credential theft and direct code modification

Apache's Doris database project had two separate zero-click attack paths confirmed — meaning neither required an attacker to interact with a human or wait for a human to click anything. Both paths led to credential theft and direct code modification rights on the Doris repository.

Cloudflare — Workers SDK

A specially crafted branch name triggered arbitrary command execution on CI runners

In Cloudflare's Workers SDK, using the Wrangler CLI toolchain, an attacker could craft a branch name that triggered arbitrary command execution on Cloudflare's CI infrastructure. The Wrangler CLI is the primary tool developers use to build and deploy applications on Cloudflare Workers. Compromising the CI runners that build and distribute it is a direct path to the software supply chain for every Wrangler user.

Python Software Foundation — Black Formatter

Any pull request could steal the project's bot token — and from there, poison official Docker images

Black is Python's official code formatting tool with 130 million installs per month. Any pull request to the Black repository could steal the project's bot token, which provided the ability to forge PR approvals and opened a downstream path to poisoning Black's official Docker images. Every system that pulls the Black Docker image — including CI pipelines across thousands of organizations — would be in the distribution path for whatever a successful attacker chose to inject.

AI Coding Agents Are Reproducing the Vulnerable Pattern Extensively

Novee included a finding in their research that has received almost no coverage from the security outlets reporting on Cordyceps today, and it is the most consequential part of the disclosure for enterprise governance programs. This also proves a recent report that came out by Audrey Rah from the University of Houston which examined 156 sources to understand how U.S. organizations are adopting generative and agentic AI, what risks are emerging, and how well current governance frameworks are keeping up.

AI coding agents — the tools that developers use to generate CI/CD configuration files quickly — are reproducing the same insecure multi-workflow composition patterns across millions of repositories. When a developer asks an AI coding assistant to write a GitHub Actions workflow, the assistant generates code based on patterns prevalent in its training data. The insecure composition patterns that Cordyceps exploits are prevalent in public repositories. The coding agent doesn't evaluate the security implications of how one workflow hands data to another; it produces a configuration file that runs, which is the only criterion most developers apply before committing it.

"As developers rely more heavily on AI tools to generate CI/CD configuration files quickly, those tools reproduce the same insecure patterns over and over."— Novee Security, Cordyceps Research, June 23, 2026

The scale implication is significant. A human developer writing an insecure workflow composition pattern introduces one vulnerable workflow. An AI coding agent that has learned the same pattern from training data and generates it on request introduces it across every project where a developer uses the tool without independent security review. Novee described this as a "reproducible, agentic infection model" — small repeated mistakes becoming exponential risk as they propagate through the repositories of an organization's entire development operation.

There is a direct connection here to the Shai-Hulud supply chain attack documented in May. In that case, the attack succeeded by operating inside the legitimate CI/CD pipeline — compromised packages carried valid provenance attestations that every standard supply chain check passed. Cordyceps uses the same attack surface: the CI/CD pipeline itself, specifically the GitHub Actions YAML configurations that define what happens when code moves through review and deployment. In both cases, the attacker operates inside the systems that organizations trust to validate their software. The governance gap is the same: organizations are treating these configuration files as passive infrastructure rather than as security-critical code that requires the same review rigor applied to application logic.

How Should Enterprise Security Programs Work Towards This

Cordyceps is a supply chain risk that sits in the Model and Pipeline Security layer of the AI security controls framework — specifically in the behavioral verification function that sits alongside provenance attestation. The Shai-Hulud research established that provenance attestation alone is insufficient when an attacker can compromise the pipeline generating the attestation. Cordyceps establishes the same principle from a different angle: YAML syntax validation is insufficient when the vulnerability exists in the compositional relationship between valid, individually-benign workflow files.

The detection mechanism that Novee's research used — simulating attacker behavior end-to-end across cross-workflow chains rather than checking individual files — is what behavioral verification looks like applied to CI/CD infrastructure. It is not a feature that most enterprise security programs currently have in their standard toolchain. Standard SCA scanners, SAST tools, and dependency audits all operate at the single-file or single-process level. None of them reason about how untrusted data moves across workflow boundaries.

Novee's immediate recommendations are specific: audit all GitHub Actions workflows for untrusted input interpolation into shell commands, validate trust boundaries between workflow privilege tiers, and treat CI/CD configuration as security-critical code with the same review standards applied to application code. That last point is the organizational change. The technical controls follow from it, but the review process has to exist first.

For organizations that have deployed AI coding agents to accelerate development — including tools that generate CI/CD configuration — Cordyceps adds a specific governance question: is there any review process for the security properties of AI-generated workflow files, or are developers committing AI-generated YAML with the same trust they'd extend to hand-written configuration? The answer in most development environments is the latter. That's the exposure the research is describing.