Cordyceps CI/CD Flaw Exposes Google AI Agent Kit, Microsoft, Apache Repos

AI relevance: Google's AI Agent Development Kit (adk-samples) was among the confirmed vulnerable repositories, where a single malicious PR could grant full GCP owner permissions — directly threatening AI agent supply chains.

• Systemic flaw, not a single bug: "Cordyceps" is a class of CI/CD workflow composition vulnerabilities in GitHub Actions YAML files, not a specific CVE in one tool. The pattern enables command injection, artifact poisoning, and cross-workflow privilege escalation through multi-step exploit chains.
• Anonymous exploitation: Attackers need only a free GitHub account — no organization privileges required. A malicious PR comment or branch name can trigger code execution in low-privilege workflows that then escalate to high-privilege credential theft.
• Scale of exposure: Novee security researchers scanned ~30,000 high-impact repositories and flagged 654 instances, with 300+ fully exploitable chains validated end-to-end. The pattern potentially affects millions of repositories using similar workflow compositions.
• Google AI Agent Development Kit hit: The adk-samples repository contained a path where a single pull request could authenticate to the associated Google Cloud project with roles/owner permissions — complete control over the GCP environment where AI agents would be deployed and tested.
• Microsoft Azure Sentinel compromised: A PR comment could execute attacker code and steal a non-expiring GitHub App key, granting persistent write access to security content deployed via Azure Marketplace into customer Sentinel workspaces — directly impacting security monitoring for organizations running AI-driven detection.
• Apache Doris, Cloudflare Workers SDK, Python Black affected: Apache's analytics database yielded two zero-click attack paths for CI credential exfiltration. Cloudflare's Wrangler CLI allowed PR branch names to trigger arbitrary commands on runners. Python Software Foundation's Black (130M+ downloads/month) showed how a malicious PR could steal automation tokens and approve PRs as the project bot, enabling tainted releases.
• AI coding agents amplify the risk: Researchers note that AI coding agents generate CI/CD configurations rapidly, propagating insecure structural patterns across projects. The result is an "agentic infection model" where small, repeated mistakes become exponential risk across the open-source ecosystem.
• Traditional scanners miss it: Static and dynamic application security testing tools operate at single-file or single-process granularity. They validate YAML syntax and flag obvious misconfigurations but cannot reason about cross-workflow data flows or validate whether untrusted input can traverse multiple workflows to reach high-privilege credentials.

Why It Matters

CI/CD pipelines are the trust boundary between code and production. When those pipelines hold cloud credentials, package registry tokens, and deployment keys — as they do for AI agent frameworks, model serving infrastructure, and LLM-powered applications — a compromise becomes a full supply-chain takeover. The Cordyceps pattern demonstrates that workflows are often treated as "configuration" rather than code, escaping the security scrutiny applied to application logic. For AI infrastructure teams, this means the pipelines building your agent tooling, model serving containers, and RAG pipeline deployments may be one anonymous PR away from credential theft and artifact poisoning.

What to Do

• Treat workflows as code: Apply the same security review, version control, and testing rigor to .github/workflows/*.yml files as you do to application code. Enforce least-privilege for all tokens and secrets.
• Isolate untrusted inputs: Ensure workflows triggered by PRs, PR comments, or branch names cannot access high-privilege credentials or write to protected artifacts. Use pull_request_target with extreme caution and explicit approval gates.
• Sanitize all user-controlled data: Never interpolate ${{ github.event.* }} fields directly into shell commands or script inputs. Validate and sanitize before use.
• Audit cross-workflow flows: Map data flows between workflows. Verify that outputs from low-privilege triggers cannot reach high-privilege credential access or deployment steps.
• Review Novee's disclosures: Check if your repositories are among the 654 flagged instances. Apply vendor-confirmed fixes from Microsoft, Google, Apache, Cloudflare, and Python Software Foundation.

Sources

• Novee Security — Cordyceps Research Blog
• GBHackers — Cordyceps Supply Chain Vulnerability Coverage
• Hackread — Cordyceps CI/CD Flaw Exposes Major Repos
• Dark Reading — 'Cordyceps' Malicious Pull Requests Threaten Developer Workflows