◈ AI Security Intelligence ← All terms
Attack  ·  Glossary

CI/CD pipeline compromise (AI projects)

Definition
Continuous Integration / Continuous Delivery (CI/CD) pipelines are automated systems that build, test, and deploy software whenever code changes are submitted. Compromising the pipeline — often by exploiting a misconfigured workflow file — lets an attacker inject malicious code into the final software product before it reaches users, without ever needing to break into production servers directly. AI development tools are especially valuable targets because they are trusted and widely distributed.
Why it matters
A successful CI/CD compromise of a high-value AI project (such as Google's AI Agent Development Kit) can silently backdoor every application built on top of it — affecting millions of downstream users at once. This class of vulnerability was found affecting 300+ repositories including flagship AI infrastructure projects.
Demonstrated by recent findings
Cordyceps — CI/CD Workflow Vulnerability Class Enables Supply Chain Hijacking via Pull Requests, Confirmed on Google AI ADK and Azure SentinelCordyceps CI/CD — GitHub Actions Workflow Misconfiguration Class Exposes Google AI Agent Dev Kit, Azure Sentinel & 300+ Repos to Supply-Chain Takeover
References
CISA: Defending CI/CD Environments
Track this in the live feed See how this plays out in real AI security and governance developments.
Open the feed →