What happened
Novee Security disclosed on June 23, 2026 a systemic class of CI/CD vulnerabilities (named 'Cordyceps') in GitHub Actions .yml workflow files across ~300+ high-profile repositories including Google's AI Agent Development Kit (ADK), Microsoft Azure Sentinel, Apache Doris, Cloudflare Workers SDK, and Python PSF's Black formatter. Workflows using pull_request_target without restricting execution to trusted code allow any unauthenticated user with a free GitHub account to trigger privileged CI runs, inject code, steal non-expiring credentials, and achieve supply-chain compromise. On Google's AI Agent Dev Kit specifically, a crafted pull request could grant an attacker full owner-level authority over a Google Cloud project. Microsoft confirmed impact on Azure Sentinel. Novee scanned ~30,000 repos and found 654 flagged and 300+ fully exploitable.
Why it matters
Google's AI Agent Development Kit is the primary framework Google ships for building and deploying autonomous AI agents. A supply-chain compromise of its build pipeline could inject malicious code into releases consumed by AI developers globally. The flaw is compounded by AI coding agents that generate GitHub Actions YAML at machine speed, replicating the same insecure patterns across repositories at exponential scale. No CVE assigned; no GitHub-level patch — remediation requires per-repo workflow configuration changes.
Attack vector
Unauthenticated attacker with free GitHub account opens a pull request or posts a comment triggering a vulnerable pull_request_target workflow; low-privilege workflow output crosses trust boundary into high-privilege workflow, enabling credential theft, code injection, artifact poisoning, and full cloud project takeover
Affected systems
Google AI Agent Development Kit (ADK), Microsoft Azure Sentinel, Apache Doris, Cloudflare Workers SDK, Python PSF Black formatter, and 300+ additional open-source repositories; any GitHub Actions workflow using pull_request_target without trust restrictions
Mitigation
Audit all GitHub Actions workflows for pull_request_target usage; restrict to trusted code paths; apply least-privilege permissions; pin workflow actions to full commit SHAs. Novee blog: https://novee.security/blog/cordyceps — Microsoft, Google, Cloudflare, Apache, Python PSF applied fixes after responsible disclosure.