🔴 Critical | Source: The Hacker News
A newly identified class of CI/CD vulnerability, dubbed ‘Cordyceps’ by Novee Security, allows attackers to hijack GitHub Actions workflows and gain full control of repositories belonging to major organisations including Microsoft, Google, and Apache. Over 300 repositories have been identified as exposed, making this a significant supply-chain risk. Because CI/CD pipelines often hold privileged credentials and publish trusted software artefacts, a successful exploit could enable attackers to inject malicious code into widely used open-source packages.
Security Architect’s Take: Audit all GitHub Actions workflows across your organisation immediately for write permissions granted to pull request triggers (e.g. pull_request_target with checkout of untrusted code), restrict GITHUB_TOKEN permissions to least-privilege, and enforce branch protection rules requiring signed commits and mandatory reviewers before any workflow executes with elevated access.
Original advisory: Cordyceps CI/CD Flaws Expose 300+ GitHub Repositories to Supply-Chain Attacks