◈ AI Security Intelligence ← Daily feed
Vulnerability  ·  2026-06-25

Cordyceps — CI/CD Workflow Vulnerability Class Enables Supply Chain Hijacking via Pull Requests, Confirmed on Google AI ADK and Azure Sentinel

VulnerabilityHigh impactGlobal
What happened
Novee security researcher Elad Meged disclosed Cordyceps on 2026-06-23: a systemic class of multi-step CI/CD exploit chains in GitHub Actions workflows where untrusted external data (PR content, comments, branch names) crosses trust boundaries into high-privilege workflow steps. Standard scanners miss it because each individual step appears benign; the vulnerability exists only in the composition. Novee verified 300+ fully exploitable chains from a 30,000-repo scan, with confirmed critical impact on Microsoft Azure Sentinel and Google's AI Agent Development Kit.
Why it matters
Google's AI Agent Development Kit is a key AI agent development infrastructure project. Compromise of its CI pipeline via a single pull request grants cloud owner-level access to Google's CI environment. AI coding agents are specifically called out as accelerating the spread of vulnerable CI/CD patterns — generating insecure YAML at scale across the ecosystem. This is a systemic supply chain risk for the AI development toolchain.
Attack vector
Attacker with only a free GitHub account submits a malicious pull request or PR comment; insecure trust-boundary crossings in GitHub Actions YAML allow the untrusted PR content to flow into a high-privilege workflow, executing attacker code on CI runners and stealing non-expiring GitHub App keys, cloud credentials, or package-signing tokens. On Google AI ADK, a single PR achieved authenticated control over the associated Google Cloud project.
Affected systems
GitHub Actions CI/CD workflows across major AI and software projects; confirmed: Google AI Agent Development Kit (adk-samples), Microsoft Azure Sentinel, Apache Doris, Cloudflare Workers SDK, Python Software Foundation Black — 300+ repos verified exploitable from 30,000 scanned
Mitigation
Audit all GitHub Actions .yml files for trust boundary violations between pull_request_target triggers and secrets/privileged steps. Apply principle of least privilege to workflow tokens. Affected organizations (Microsoft, Google, Apache, Cloudflare, PSF) have applied fixes. Novee research: https://novee.security/blog/cordyceps/
Sources
Novee Security: Cordyceps BlogDark Reading: Cordyceps Coverage (Jun 23 2026)GBHackers: Cordyceps Supply Chain Vulnerability (Jun 23 2026)
See this in the live feed Explore related AI security and governance findings — updated every morning.
Open the feed →