Cordyceps: The GitHub Actions Flaw That Gives Any Stranger Full Control of Microsoft, Google, and Apache Repos

The fungus Ophiocordyceps unilateralis infects carpenter ants, hijacks their nervous system, and drives them to the precise location and height needed for spore dispersal. Then it kills them.

Novee Security named this CI/CD vulnerability class Cordyceps. The analogy is accurate.

The Attack

An attacker submits a pull request to a target repository. The repository has a GitHub Actions workflow configured with pull_request_target — a trigger that runs with write permissions and access to repository secrets, even when the pull request comes from a fork. The workflow checks out the pull request's code without isolating it.

That pull request's code now runs in a context with secrets. The workflow produces an output. That output flows into a second, higher-privilege workflow — one that uses it to authenticate to a cloud environment. The attacker's code is now running with the highest available permissions in the target's cloud infrastructure.

Every step appears normal in isolation. The pull_request_target trigger is legitimate. The credential fetch is legitimate. The cloud authentication is legitimate. The combination is a complete privilege escalation path from a free GitHub account to full control of a target's CI/CD infrastructure.

The Scope

Novee scanned approximately 30,000 high-impact repositories and found more than 300 fully exploitable. The confirmed affected organizations include Microsoft, Google, Apache, and Cloudflare.

The specific Microsoft example: Azure Sentinel has a workflow where a comment on a pull request can trigger attacker-controlled code execution on Microsoft's CI pipeline, with access to a non-expiring GitHub App key. The path from commenting on a public Microsoft repo to stealing a persistent credential is documented and reproducible.

The AI Force-Multiplier

Cordyceps is not a new vulnerability class. The pull_request_target risk has been documented in GitHub's own security guidance. The reason it is spreading is that AI coding tools — the assistants developers use to generate CI/CD configuration files — reproduce the same insecure pattern repeatedly. An AI tool that was trained on existing GitHub workflows will have seen many examples of pull_request_target with actions/checkout. It will reproduce them because they appear in the training data as normal patterns.

As developer teams rely more heavily on AI-generated CI/CD configurations, the same misconfiguration gets deployed across thousands of new repositories without any individual developer understanding why the pattern is dangerous. This is supply chain risk at the configuration layer, propagated by automation.

Detection and Defense

1. pull_request_target trigger (not pull_request)

2. actions/checkout of the PR head SHA without isolation

3. The checked-out code has access to secrets or high-privilege tokens

The defensive fix is straightforward: never check out untrusted PR code in a pull_request_target workflow. If your workflow uses pull_request_target and calls actions/checkout, audit it now. If the ref being checked out is ${{ github.event.pull_request.head.sha }} or equivalent, the workflow is exploitable.

GitHub provides GITHUB_TOKEN permission scoping and workflow permissions blocks that can mitigate the blast radius. Setting permissions: read-all at the workflow level prevents write operations. Restricting which workflows can access secrets reduces the escalation path.

Our Response

• Repos publishing Cordyceps PoC exploit code or tooling

• Workflow files with the specific pull_request_target + write-permission + PR-head-checkout combination

• workflow_run chains that feed untrusted input to high-privilege contexts

The patterns are live in the daily 08:15 UTC sweep. Any new repository matching the Cordyceps attack signatures will be indexed in our IOC corpus and flow into the STIX feed within 24 hours of publication.

Sources: The Hacker News — Cordyceps — Dark Reading — malicious PRs — Novee Security — research — SecurityWeek — millions of repos

The threat feed this post is built on

1.14M+ IOCs, STIX 2.1, precursor signals, supply-chain detection. Free API key in 30 seconds.

Get your free key → analytics.dugganusa.com/stix/register