- A new critical flaw dubbed Cordyceps threatens open-source software supply chains.
- The vulnerability allows unauthenticated attackers to hijack CI/CD workflows and execute code.
- Major organizations including Microsoft, Google, and Apache have been impacted.
- Over 300 high-impact repositories were found to be fully exploitable.
- The issue stems from weak CI/CD configurations that grant excessive permissions to pull requests.
Cybersecurity researchers have identified a severe new vulnerability pattern that enables attackers to compromise critical open-source infrastructure, a discovery detailed by Novee Security on June 24, 2026. The weakness, codenamed Cordyceps, exploits misconfigured CI/CD workflows to gain control over code repositories at dozens of the world’s largest tech firms.
According to the security firm’s report, the flaw is exploitable by anyone with a free account and no special privileges. Consequently, it allows attackers to forge approvals, push malicious code, or steal credentials directly from the CI environment.
This supply chain vulnerability exists in the foundational plumbing that the entire software industry relies upon. However, the problem often evades scanners because each individual component functions as designed, with the vulnerability emerging only in their insecure composition.
For example, a single comment on a pull request for Microsoft‘s Azure Sentinel could execute attacker code and steal a permanent GitHub App key. Meanwhile, a similar attack on Google‘s AI Agent Development Kit could grant an attacker complete authority over a Google Cloud repository.
Other notable findings include vulnerabilities in Apache Doris, Cloudflare Workers SDK, and the Python Software Foundation’s Black project. Following responsible disclosure, impacted organizations have confirmed the issues and applied patches.
Elad Meged, a founding engineer at Novee Security, said the nature of agentic coding means these vulnerabilities reproduce persistently and at scale. “We like to think of it as ‘puppeteering’ the repositories of some of the world’s biggest companies, silently manipulating their workflows,” he explained.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
