CRITICAL ⚡ MUST-KNOW
Cordyceps CI/CD Flaws Expose 300+ GitHub Repositories to Supply-Chain Attacks
Researchers at Novee Security disclosed a new class of CI/CD workflow weakness, codenamed Cordyceps, that lets attackers hijack GitHub Actions workflows and gain full control of affected repositories. The “critical exploitable pattern” reportedly impacts 300+ repositories at major organizations including Microsoft, Google, and Apache. The flaw class threatens the open-source supply chain broadly, since compromised CI/CD pipelines can be used to inject malicious code into downstream builds.