The Build Pipeline Is the New Attack Surface
Supply chain attacks have followed a clear escalation path. First, compromised packages — typosquats, account takeovers, malicious dependencies. Then, compromised vendors — ShapedPlugin-style pipeline infiltrations. Now, Cordyceps reveals the next level: the CI/CD infrastructure itself is exploitable at scale, across the repositories that build the most critical tools in the ecosystem.
Novee Security scanned 30,000 high-impact GitHub repositories and found over 300 fully exploitable CI/CD configurations. Not theoretical weaknesses. Fully exploitable — meaning any unauthenticated user with a free GitHub account could forge approvals, push arbitrary code, or steal repository credentials. The affected repositories include Microsoft Azure Sentinel, Google's AI Agent Development Kit, Apache Doris, Cloudflare Workers SDK, and Python's Black formatter.
How the Attack Works
The vulnerability class is known as "pwn requests" — a pattern where GitHub Actions workflows process untrusted pull request data with elevated privileges. An attacker opens a pull request with a crafted title, body, or branch name. The workflow parses this input without sanitization and executes it as code. Because these workflows run with repository write permissions and access to secrets, the attacker gains the ability to push commits, modify releases, and exfiltrate credentials — all without any human approving the pull request.
GitHub responded on June 18 by updating the default behavior of actions/checkout to block the most common pwn request patterns. But the fix only applies to new repositories or repositories that update their checkout action. The 300+ exploitable repositories identified by Novee Security represent configurations that predate the fix — and many belong to organizations with hundreds of downstream consumers.
Why This Is Worse Than Package-Level Attacks
WebPulse tracks 471 supply chain artifacts across the web framework ecosystem. Package-level attacks like Shai-Hulud (57 npm packages) and Miasma (32 @redhat-cloud-services packages) are serious but scoped — they compromise individual packages. Cordyceps operates one level deeper. A compromised CI/CD pipeline can inject malicious code into any package built by that pipeline. Azure Sentinel's CI/CD builds security tooling used by enterprises worldwide. Google's AI Agent Development Kit builds the infrastructure for agentic AI applications. Cloudflare Workers SDK builds the edge compute platform that serves millions of sites.
The blast radius is multiplicative. One compromised pipeline does not equal one compromised package. It equals every package, release, and artifact that pipeline has ever built or will build until the configuration is fixed.
What This Means for Framework Security
Every modern web framework is distributed through pipelines that could harbor Cordyceps-class vulnerabilities. npm packages are built by GitHub Actions. PyPI packages are built by GitHub Actions. Docker images, Helm charts, Terraform modules — all built by CI/CD pipelines with varying levels of configuration security. WebPulse's security scoring evaluates the vulnerability surface of frameworks themselves. Cordyceps demonstrates that the vulnerability surface extends to the infrastructure that builds and distributes those frameworks.
For CISOs evaluating supply chain risk: package integrity verification (SLSA provenance, Sigstore signatures) is necessary but not sufficient. If the CI/CD pipeline that generates the provenance attestation is itself compromised, the attestation is meaningless. Cordyceps is the proof. The question is no longer whether your dependencies are signed. It is whether the build system that signed them can be trusted.
