HomeIntelligenceBrief
VULNERABILITY BRIEF🟠 High Vulnerability

Anonymous Users Can Hijack CI/CD Pipelines via ‘Cordyceps’ Flaw in GitHub Actions Workflows

Security researcher Novee Security disclosed a GitHub Actions vulnerability—named Cordyceps—that lets unauthenticated actors poison builds and exfiltrate tokens from high‑profile repos (Microsoft, Google, Apache). The flaw highlights the need for continuous CI/CD control monitoring and audit‑ready evidence under SOC 2.

LiveThreat™ Intelligence · 📅 June 24, 2026· 📰 hackread.com
🟠
Severity
High
VU
Type
Vulnerability
🎯
Confidence
High
🏢
Affected
2 sector(s)
Actions
3 recommended
📰
Source
hackread.com

‘Cordyceps’ CI/CD Flaw Exposes Microsoft, Google, Apache Repos to Pipeline Hijacking

What Happened — Security researcher Novee Security disclosed “Cordyceps,” a vulnerability in GitHub Actions workflows that lets any anonymous user inject malicious steps into a pipeline. The flaw can steal secrets (tokens, API keys) and poison builds across high‑profile repositories, including projects owned by Microsoft, Google and the Apache Software Foundation.

Why It Matters for Compliance & Audit Readiness

  • The scenario is a classic CI/CD mis‑configuration that defeats the CC6.1 – Change Management and CC6.2 – Secure Development controls required by SOC 2.
  • Continuous evidence of proper pipeline hardening (e.g., signed workflow files, secret‑scanning) is essential to demonstrate due diligence during an audit.
  • Verisq’s Control Mapping capability lets you automatically map pipeline‑security controls to SOC 2 criteria and collect immutable evidence for the Trust Center, turning a reactive fix into proactive audit proof.

Who Is Affected – Cloud‑native SaaS vendors, large tech firms, open‑source foundations, and any organization that relies on GitHub Actions or similar CI/CD services for code delivery.

Recommended Actions

  • Review all GitHub Actions workflows for pull_request_target usage or any step that runs with elevated permissions on untrusted code.
  • Enforce signed workflow files and restrict token scopes; rotate any exposed secrets immediately.
  • Deploy automated secret‑scanning and CI/CD policy enforcement tools; capture configuration snapshots as audit evidence.

Source: HackRead – Cordyceps CI/CD Flaw

Technical Notes

  • Attack Vector: Misconfiguration of GitHub Actions workflow permissions; no public CVE assigned yet.
  • Data Types Exposed: Cloud service tokens, API keys, potentially credential‑level access to downstream environments.
  • Impact: Enables build poisoning, credential theft, and downstream supply‑chain compromise.

Source: HackRead article

📰 Original Source
https://hackread.com/cordyceps-ci-cd-flaw-microsoft-google-apache-repos-hijack/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Trust Operations

Every gap like this maps to a control you can evidence.

The Verisq AI Trust Operations platform maps incidents to your control framework and collects the evidence continuously — so your Trust Center shows proof, not promises, when a buyer or auditor asks.

Explore the Verisq AI Trust Operations platform →