Back to Intelligence

Cordyceps CI/CD Flaws: Detecting GitHub Workflow Hijacking and Supply-Chain Attacks

SA
Security Arsenal Team
June 25, 2026
5 min read

Security Arsenal is tracking a critical class of vulnerabilities codenamed "Cordyceps," recently disclosed by Novee Security. This discovery exposes a fundamental weakness in CI/CD workflow configurations that has already left over 300 GitHub repositories vulnerable to supply-chain compromise.

The issue is not isolated to minor projects; researchers have confirmed that repositories at Microsoft, Google, and Apache are susceptible. The "Cordyceps" weakness allows attackers to hijack CI/CD workflows effectively, granting them full control over the repository and the ability to inject malicious artifacts into the software supply chain. For defenders, this represents a high-severity event requiring immediate auditing of automation pipelines.

Technical Analysis

Affected Platform: GitHub (GitHub Actions and associated workflow engines)

Vulnerability Class: Supply-Chain Compromise / CI/CD Misconfiguration

The Mechanism: While the specific CVE is still being categorized by NIST, the "Cordyceps" pattern describes a condition where workflow triggers are overly permissive, allowing untrusted actors—such as forks or external contributors—to trigger build pipelines with elevated privileges.

Typically, this attack vector exploits a misconfiguration where a pull_request trigger is granted a GITHUB_TOKEN with write permissions. In a Cordyceps scenario, an attacker can submit a malicious pull request that triggers the workflow. Because the workflow runs with write access, the attacker can manipulate the repository, exfiltrate secrets, or poison the build artifacts, effectively hijacking the supply chain.

Impact:

  • Full Repository Control: Attackers can push commits, modify release tags, and alter code.
  • Artifact Poisoning: Malicious code can be compiled and signed as legitimate software.
  • Secret Exfiltration: CI/CD secrets (API keys, signing certs) are exposed to the hostile runner environment.

Exploitation Status: Proof-of-concept (PoC) code has been demonstrated by Novee Security, and initial scans indicate widespread exposure across the top organizations globally.

Detection & Response

Detecting "Cordyceps" requires monitoring for anomalous behavior within your CI/CD runners and identifying unauthorized modifications to workflow definitions. Below are detection mechanisms tailored for GitHub Actions environments.

SIGMA Rules

The following Sigma rules identify suspicious modifications to GitHub workflow files and anomalous command execution often associated with workflow hijacking.

YAML
---
title: Cordyceps - Suspicious Git Workflow Modification
id: 8a4b2c10-7d9e-4f1a-9b3c-2d5e6f8a9b1c
status: experimental
description: Detects modification of GitHub Actions workflow files via Git, a potential indicator of supply chain tampering.
references:
 - https://novee.security/research/cordyceps
author: Security Arsenal
date: 2026/06/18
tags:
 - attack.t1195.002
 - attack.supply_chain
logsource:
 category: process_creation
 product: linux
detection:
 selection:
   Image|endswith: '/git'
   CommandLine|contains: 
    - '.github/workflows'
 condition: selection
falsepositives:
 - Legitimate repository maintenance by developers
level: high
---
title: Cordyceps - Anomalous CI Runner Script Execution
id: 9c5d3e20-8e0f-5g2a-0c4d-3e6f7g0a1b2d
status: experimental
description: Detects execution of shell or python scripts by generic CI runner users or services in unusual directories.
references:
 - https://novee.security/research/cordyceps
author: Security Arsenal
date: 2026/06/18
tags:
 - attack.execution
 - attack.t1059
logsource:
 category: process_creation
 product: linux
detection:
 selection:
   Image|endswith:
    - '/bash'
    - '/python'
    - '/node'
   User|contains:
    - 'runner'
    - 'ci'
   CommandLine|contains:
    - 'git checkout'
    - 'git config'
 condition: selection
falsepositives:
 - Authorized CI/CD pipeline tasks
level: medium

KQL (Microsoft Sentinel)

Use this KQL query to hunt for suspicious Git activity targeting workflow definitions or unauthorized access attempts within your pipeline logs.

KQL — Microsoft Sentinel / Defender
// Hunt for Cordyceps - Workflow Hijacking Indicators
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName has "git" 
| where ProcessCommandLine has ".github/workflows" 
   or ProcessCommandLine has "pull_request"
   or ProcessCommandLine has "git push --force"
| extend AccountName = InitiatingProcessAccountName, DeviceName = DeviceName
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessAccountSid
| sort by Timestamp desc

Velociraptor VQL

This artifact hunts for recent changes to GitHub workflow YAML files on endpoints where code is checked out or runners execute.

VQL — Velociraptor
-- Hunt for Cordyceps - Modified Workflow Files
SELECT FullPath, Mtime, Size, Mode
FROM glob(globs="/.github/workflows/*.yml")
WHERE Mtime > now() - 7d
   OR Mode.IsRegular == false

Remediation Script (Bash)

This Bash script audits your local repository clones for the "Cordyceps" pattern—specifically looking for workflows that grant write permissions on pull_request events.

Bash / Shell
#!/bin/bash

# Cordyceps Audit Script
# Checks for dangerous permissions in GitHub Workflow files

echo "Auditing local repositories for Cordyceps vulnerability..."

# Find all .yml workflow files
find . -path "./.github/workflows/*.yml" -o -path "./.github/workflows/*.yaml" | while read -r file; do
    echo "Scanning: $file"
    
    # Check for 'pull_request' trigger with 'write' permission
    if grep -q "on:.*pull_request" "$file" && grep -q "permissions:.*write" "$file"; then
        echo "[VULNERABLE] Potential Cordyceps pattern found in $file"
        echo " -> Issue: 'pull_request' trigger combined with 'write' permissions."
    fi
    
    # Check for GITHUB_TOKEN write permissions explicitly in jobs
    if grep -A 5 "permissions:" "$file" | grep -q "contents: write" && grep -q "pull_request" "$file"; then
        echo "[WARNING] Write permissions detected on pull_request workflow in $file"
    fi
done

echo "Audit complete."

Remediation

To mitigate the risk of "Cordyceps" and secure your CI/CD supply chain, Security Arsenal recommends the following immediate actions:

  1. Audit Workflow Permissions: Immediate review of all .github/workflows/*.yml files. Ensure that workflows triggered by pull_request events do not have write permissions to the repository.
  2. Implement Principle of Least Privilege: Configure permissions at the workflow level to read-only for pull_request triggers. Only grant write permissions to specific events like release or push to the main branch from trusted sources.
  3. Pin Actions to SHAs: Avoid using version tags (e.g., uses: actions/checkout@v3) for third-party actions. Pin to full commit SHAs (e.g., uses: actions/checkout@a81bbbf8298c0fa03ea29cdc473d45769f953675) to prevent supply chain compromise via action updates.
  4. Require Approval for Forks: Configure repository settings to require manual approval for workflows running on pull requests from outside collaborators.
  5. Branch Protection Rules: Enforce strict branch protection rules on main branches requiring status checks and code owner review before merging.

Related Resources

Security Arsenal Red Team Services AlertMonitor Platform Book a SOC Assessment pen-testing Intel Hub

penetration-testingred-teamoffensive-securityexploitvulnerability-researchsupply-chaincicdgithub

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action