Based on reporting by The Hacker News →
Introduction
The open-source supply chain is only as secure as the weakest build pipeline. A newly identified class of CI/CD vulnerabilities, dubbed Cordyceps, demonstrates how poor workflow hygiene can turn a repository into a weapon, threatening the software foundations used by the world's largest companies.
The problem
Cybersecurity researchers at Novee Security have identified a critical weakness in CI/CD workflow configurations, which they have named "Cordyceps," according to a report by The Hacker News. This vulnerability pattern allows attackers to hijack continuous integration and continuous deployment (CI/CD) pipelines, effectively taking control of the build process. The team found that hundreds of repositories—over 300—belonging to prominent organizations like Microsoft, Google, and the Apache Software Foundation are currently exposed to this supply-chain attack vector.
Consequences
If exploited, Cordyceps enables an attacker to inject malicious code directly into software builds, bypassing traditional security reviews and code-signing checks. The real-world impact is a full-scale supply-chain compromise: downstream users of the affected open-source libraries or applications could unknowingly install backdoored versions, leading to lateral movement, data exfiltration, or ransomware deployment in enterprise and consumer environments. Given the attack surface touches foundational infrastructure components, a single successful exploit could cascade into a major software ecosystem breach.