‘Cordyceps’ CI/CD Flaw Exposes Microsoft, Google, Apache Repos to Pipeline Hijacking
What Happened — Security researcher Novee Security disclosed “Cordyceps,” a vulnerability in GitHub Actions workflows that lets any anonymous user inject malicious steps into a pipeline. The flaw can steal secrets (tokens, API keys) and poison builds across high‑profile repositories, including projects owned by Microsoft, Google and the Apache Software Foundation.
Why It Matters for Compliance & Audit Readiness
- The scenario is a classic CI/CD mis‑configuration that defeats the CC6.1 – Change Management and CC6.2 – Secure Development controls required by SOC 2.
- Continuous evidence of proper pipeline hardening (e.g., signed workflow files, secret‑scanning) is essential to demonstrate due diligence during an audit.
- Verisq’s Control Mapping capability lets you automatically map pipeline‑security controls to SOC 2 criteria and collect immutable evidence for the Trust Center, turning a reactive fix into proactive audit proof.
Who Is Affected – Cloud‑native SaaS vendors, large tech firms, open‑source foundations, and any organization that relies on GitHub Actions or similar CI/CD services for code delivery.
Recommended Actions
- Review all GitHub Actions workflows for
pull_request_targetusage or any step that runs with elevated permissions on untrusted code. - Enforce signed workflow files and restrict token scopes; rotate any exposed secrets immediately.
- Deploy automated secret‑scanning and CI/CD policy enforcement tools; capture configuration snapshots as audit evidence.
Source: HackRead – Cordyceps CI/CD Flaw
Technical Notes
- Attack Vector: Misconfiguration of GitHub Actions workflow permissions; no public CVE assigned yet.
- Data Types Exposed: Cloud service tokens, API keys, potentially credential‑level access to downstream environments.
- Impact: Enables build poisoning, credential theft, and downstream supply‑chain compromise.
Source: HackRead article