A widespread CI/CD supply‑chain attack pattern, dubbed Cordyceps, left hundreds of open source projects dangerously exposed in June 2026. Novee Security’s automated scan of roughly 30,000 popular repositories revealed that a significant number inadvertently trusted malicious actors, granting them the ability to inject code into build pipelines and distribute compromised releases. The name, drawn from the parasitic fungus that hijacks insect behavior, reflects how attackers manipulate legitimate automation workflows to stealthily spread malware through trusted software channels.
The research sheds light on a persistent blind spot in modern development practices: the dangerous assumptions developers make about the security of CI/CD platforms like GitHub Actions. Workflows, often configured with broad permissions and without proper validation of external actions, become entry points for adversaries who need no direct access to the source repository. Once inside the pipeline, malicious code can infect binaries, steal secrets, or pivot into downstream supply chains with devastating efficiency.
The Discovery
Novee Security’s analysis, conducted in the first week of June 2026, targeted the top 30,000 repositories by star count across GitHub. The team focused on misconfigurations in GitHub Actions workflows that would allow external, unprivileged users to execute arbitrary commands in the context of a project’s CI/CD environment. The scan flagged over 700 repositories where a simple pull request from an anonymous contributor could trigger a pipeline with elevated rights, effectively handing over the keys to the software supply chain.
“The results were alarming,” said Elena Voss, lead researcher at Novee. “We weren’t looking for exotic zero‑days. These are fundamental trust mistakes—like using pull_request_target without proper conditionals, or referencing community actions without pinning their commit hash. In many cases, a single overlooked setting turned a routine PR into a remote code execution vector.”
The firm disclosed its findings privately to repository maintainers before going public, but the sheer scale highlights a systemic failure to apply least‑privilege principles to automation. Cordyceps is not a single vulnerability but an entire class of attack that preys on the implicit trust developers place in CI/CD infrastructure.
What is Cordyceps?
The Cordyceps attack pattern exploits the interplay between GitHub’s event triggers and the execution environment of GitHub Actions. At its core, it leverages scenarios where an untrusted actor—someone who has not been granted write access to a repository—can modify files that are subsequently consumed by a privileged workflow run. The name captures the parasitic nature of the technique: an innocuous‑looking contribution, like a typo fix or a new test case, secretly seeds malicious instructions that later blossom during automated builds.
The threat model covers several concrete misconfigurations. One common vector is the use of the pull_request_target event without validating the actor’s permissions. This event executes the workflow from the base branch’s configuration, which often carries sensitive secrets and write access, yet it can be triggered by pull requests from forked repositories. Another variant involves referencing third‑party actions by tag or branch name instead of a full commit SHA, allowing an attacker who takes over the action’s repository to silently swap the code after the workflow has been approved.
Even workflows that appear safe can betray their creators. A build script that checks out the pull request code and runs tests, for instance, may inadvertently execute attacker‑controlled package.json scripts or Makefile targets if not carefully sandboxed. Cordyceps formalizes these paths, giving defenders a taxonomy of trust boundaries that must be explicitly guarded.
How the Attack Works
To understand Cordyceps, consider a typical open‑source project that uses GitHub Actions to run unit tests on every pull request. The maintainers might set up a workflow like the one below, simplified for illustration:
name: CI
on:
pull_request_target:
types: [opened, synchronize]
jobs:
test:
runs-on: windows-latest
steps:
- uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.sha }}
- name: Run tests
run: npm test
At first glance, this seems reasonable: it checks out the PR code and executes the test suite. But because pull_request_target runs with the full privileges of the target repository, any attacker who submits a pull request can modify the code that npm test executes—not just the source files, but also build scripts, configuration files, or even the node_modules directory if a post‑install hook is present. With careful crafting, the test run can exfiltrate secrets, overwrite releases, or inject a backdoor into the final artifact.
Novee’s scan automated the detection of such patterns. It looked for workflows that (1) use pull_request_target or workflow_run events, (2) check out untrusted head references, (3) execute build or test commands, and (4) have access to secrets or write permissions. Repositories that combined all four factors were flagged as critically exposed.
The attack does not require the victim to merge the malicious PR. The mere existence of a pull request triggers the workflow, giving the attacker a one‑shot opportunity to run code. In some cases, the workflow might even have access to deployment credentials, enabling a direct compromise of the project’s published packages or containers.
The Anatomy of a Workflow Trust Mistake
Trust mistakes in CI/CD pipelines typically arise from a misunderstanding of GitHub’s security model. The platform separates the “repository” trust domain (maintainers with push access) from the “contributor” domain (anyone who can open an issue or PR). The danger emerges when workflows fail to enforce that boundary.
Unvalidated triggers are the most common culprit. The pull_request_target event is designed to let maintainers safely run workflows that need secrets—like labeling PRs or posting comments—but many developers use it as a drop‑in replacement for pull_request just to get access to environment variables. The distinction is critical: pull_request runs in the contributor’s context and has no access to repository secrets, while pull_request_target runs in the repository’s context with full privileges.
Unpinned actions are another frequent enabler. Specifying uses: some-action@v1 leaves the workflow exposed if the action’s maintainer account is compromised or the repository is deleted and re‑registered by an imposter. GitHub’s own security guidelines recommend pinning actions to a full commit SHA, but a 2025 survey by the OpenSSF found that fewer than 12% of workflows follow this practice.
Workflow permissions are often overly permissive. The default GITHUB_TOKEN in GitHub Actions has write access to the repository, meaning any code that runs during a workflow can modify repository contents, tags, and releases. Unless explicitly scoped down, a compromised test step can push malicious commits or alter existing releases without leaving obvious traces.
Implicit trust in build tools creates subtler vulnerabilities. Many ecosystems—Node.js, Python, Rust, .NET—execute user‑controlled scripts during the build process. A pull request that adds a preinstall script to package.json or a malicious build.rs in a Cargo project will run those scripts with the workflow’s privileges if the CI system invokes standard package manager commands.
Cordyceps chains these weaknesses together. An attacker starts with a seemingly benign contribution, abuses an unpinned action or a pull_request_target trigger, leverages overly broad token permissions, and then uses built‑in build‑tool scripting to persist or pivot. The entire exploit lives purely in the CI/CD configuration, requiring no vulnerability in the application code itself.
Affected Projects and Scope
Novee’s scan covered 30,000 repositories, and while the firm has not published the full list, it confirmed that hundreds of projects across multiple language ecosystems met the criteria for critical exposure. Affected repositories included widely‑used libraries in the Python, JavaScript, Go, and .NET worlds, as well as developer tools that form the backbone of modern CI/CD pipelines.
The blast radius extends beyond the immediate repositories. A compromised library can infect every downstream project that depends on it, turning a single workflow misconfiguration into a mega‑scale supply‑chain incident. In the worst case, attackers could poison popular npm packages, PyPI distributions, or NuGet feeds, reaching millions of end‑user systems, including Windows desktops and servers.
The June 2026 discovery window corresponds to a period when many projects were preparing summer releases and feature updates, amplifying the potential damage. Novee urged maintainers to audit their workflows immediately, and GitHub quietly launched an in‑product advisory to flag repositories using pull_request_target without explicit if: github.actor == 'repository_owner' type guards.
Implications for the Windows Ecosystem
While Cordyceps applies to any platform using GitHub Actions, the Windows ecosystem faces distinct risks. Many open‑source projects that are critical to Windows development—PowerShell modules, .NET libraries, Windows‑specific containers, and toolchains like Chocolatey or WinGet packages—rely on GitHub Actions for CI/CD. A compromised workflow in a popular PowerShell gallery module could deliver malicious scripts that run with high privileges on thousands of administrators’ consoles.
Microsoft’s own repositories, including those under the Microsoft, PowerShell, and dotnet organizations, are frequent targets of supply‑chain probes. Although the company maintains dedicated security teams and internal scanners, the Novee report serves as a reminder that even well‑funded projects can slip up. In 2025, a misconfigured action in a Microsoft‑managed container repository briefly allowed external contributors to push unsigned images—a mistake that was quickly caught but underscored the pervasive nature of these risks.
For Windows enterprise customers, the Cordyceps pattern reinforces the need to verify the provenance of every third‑party component, even those that come from trusted sources. Software composition analysis (SCA) tools and SBOMs (Software Bill of Materials) are only part of the solution; organizations must also assess the CI/CD integrity of their dependencies. A binary signed by a reputable publisher might still contain malicious code if the build was compromised.
Mitigating the Threat
Defending against Cordyceps requires a shift in mindset: workflows must be treated with the same security rigor as application code. The following practices can drastically reduce exposure:
- Audit all workflow triggers. Replace
pull_request_targetwithpull_requestwherever possible. Ifpull_request_targetis absolutely necessary, add conditional guards that check the actor’s permissions and restrict which files can be modified. - Pin actions by commit SHA. Use
uses: actions/checkout@<commit>instead of@v4. Tools like StepSecurity’s Harden‑Runner can automate this and alert on unpinned dependencies. - Reduce token permissions. Set
permissions: read-allat the workflow level and grant write access only to specific jobs that need it. For public repositories, the defaultGITHUB_TOKENcan often be restricted further. - Sandbox build steps. Run test suites and build commands in a container or a VM that has no access to secrets or network egress. Use GitHub’s OIDC integration to avoid baking long‑lived credentials into the pipeline.
- Treat PR code as untrusted. Never directly execute scripts from a pull request without a thorough review. If the project accepts contributions from unknown parties, implement a gated workflow that runs untrusted code in a temporary, isolated environment without secret access.
- Monitor CI/CD behavior. Use runtime security tools that detect anomalous workflow executions, such as unexpected network calls or attempts to access encrypted secrets. Dependabot and CodeQL can be configured to scan workflow files for known anti‑patterns.
Novee Security has released an open‑source scanner called “Cordyceps‑Detect” that automates the identification of these misconfigurations. The tool integrates with GitHub’s API to evaluate repositories against the Cordyceps taxonomy and generate actionable reports. Early adopters report that fixing flagged issues takes, on average, less than an hour per repository.
A Call for Better CI/CD Hygiene
The Cordyceps research confirms what many security practitioners have long feared: the automation that accelerates development also multiplies the attack surface. As the industry moves toward “everything as code,” the definition of a software vulnerability expands beyond buffer overflows and SQL injection to include misconfigured YAML files and misplaced trust in community‑maintained actions.
GitHub has announced plans to release stricter default permissions for GITHUB_TOKEN later in 2026 and is exploring a “pull request sandbox” mode that would eliminate the pull_request_target trap entirely. Until those protections land, however, the burden falls on individual maintainers to write secure workflows.
The Cordyceps episode also raises broader questions about the sustainability of the open‑source model. Many maintainers are volunteers juggling day jobs; expecting them to become CI/CD security experts is unrealistic. The community may need to invest in shared infrastructure—curated workflow libraries, centrally audited actions, and automated security scanners that run on every commit—to close the gap.
For Windows users and developers, the takeaway is urgent but actionable: inspect the pipelines that feed your software supply chain. A few lines of defensive YAML can prevent a catastrophic compromise. In an environment where one careless workflow can ripple out to millions of machines, that attention to detail is not just good practice—it is essential hygiene.