Cybersecurity researchers have uncovered a new class of CI/CD security weaknesses called “Cordyceps” that could allow attackers to hijack software development workflows and launch large-scale supply-chain attacks. The flaws were discovered in GitHub Actions environments and were found to affect more than 300 public repositories, including projects linked to major technology organizations. The issue highlights how small workflow mistakes can create serious risks across the open-source ecosystem.
According to researchers, the vulnerabilities do not rely on a single bug. Instead, Cordyceps is a collection of insecure workflow patterns that attackers can abuse to move through CI/CD pipelines. By combining weaknesses such as command injection, broken trust boundaries, artifact manipulation, and privilege escalation, threat actors can gain control over automated development processes.
The research shows that attackers may be able to exploit these workflows through malicious pull requests or other untrusted inputs. Once triggered, the attack can interfere with automated builds, releases, and testing pipelines. Because many open-source projects depend heavily on automation, a successful compromise could impact not only the targeted repository but also downstream users and organizations.
Researchers identified more than 300 GitHub repositories that were directly exposed to these risky workflow patterns. Some of the affected projects were associated with well-known technology ecosystems, demonstrating that even mature development teams can unknowingly introduce dangerous CI/CD configurations. The findings suggest that similar weaknesses may exist across a much larger number of repositories.
Security experts warn that the problem extends beyond a handful of projects. The vulnerable workflow designs have been widely copied and reused across the open-source community. As developers often rely on templates, examples, and AI-generated workflow configurations, insecure practices can spread rapidly and become embedded in thousands or even millions of repositories.
If exploited successfully, the vulnerabilities could allow attackers to steal sensitive CI/CD credentials, modify software builds, inject malicious code, or gain elevated access within development environments. Such actions could ultimately lead to software supply-chain compromises, where trusted software is manipulated before reaching end users.
The discovery comes at a time when attacks against software supply chains are becoming increasingly common. Recent incidents have shown how compromised GitHub Actions workflows and CI/CD environments can expose secrets, tokens, and cloud credentials. The Cordyceps findings reinforce the growing importance of securing development pipelines as carefully as production systems.
Researchers recommend that organizations review their GitHub Actions workflows, validate trust boundaries, limit permissions, and carefully inspect how untrusted contributions are handled. Strengthening CI/CD security practices and removing unsafe workflow patterns can help reduce the risk of repository hijacking and supply-chain attacks. The findings serve as a reminder that automation can improve development speed, but it must be secured properly to prevent abuse.
Stay alert, and keep your security measures updated!
Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news
