Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Watchlists Beta Browse News Feed Stats About Contact

CI/CD pull-request privilege-escalation flaw (Cordyceps)

Vulnerability
First reported
Last updated
Happening score
H score 32
1 unique sources, 1 articles

Summary

Hide ▲

Cordyceps exposed a CI/CD workflow privilege-escalation flaw in pull-request automation that let unauthenticated users hijack privileged workflows and reach open-source supply chains. In scans of about 30,000 high-impact repositories, more than 300 were fully exploitable. The weakness enabled attacker-controlled code execution, credential theft, and supply-chain compromise across repositories at large organizations. The issue was confirmed in environments tied to Microsoft, Google, Apache, Cloudflare, and Python.

Related Happenings

Miasma supply-chain malware activity

Malware Activity
H score34 First: 10.06.2026 23:27 Last: 10.06.2026 23:27 Sources 1

About this happening: The **Miasma** malware activity is enabling **supply-chain compromise** by stealing **build environment** and **cloud credentials**, then using them to poison legitimate packages...

Open Happening

Claude Code GitHub Action bot trigger bypass security flaw

Vulnerability
H score31 First: 04.06.2026 18:15 Last: 04.06.2026 18:15 Sources 1

About this happening: **Anthropic's Claude Code GitHub Action** had a **trigger-check bypass** that let a malicious **GitHub issue** escalate into **repository takeover** for vulnerable public reposito...

Open Happening

GlassWorm supply-chain malware activity

Malware Activity
H score22 First: 27.05.2026 14:48 Last: 27.05.2026 14:48 Sources 1

About this happening: The **GlassWorm** malware activity is now under a coordinated **C2 disruption**, reducing its ability to deliver new instructions and payloads to infected developer systems. The o...

Open Happening

Megalodon GitHub CI/CD supply-chain campaign

Campaign
H score50 First: 22.05.2026 14:55 Last: 22.05.2026 14:55 Sources 1

About this happening: The **Megalodon** campaign pushed **5,718 malicious commits** into **5,561 GitHub repositories** in about **six hours**, creating a broad **CI/CD secret-theft** risk across develo...

Open Happening

Shai-Hulud worm clone activity on NPM

Malware Activity
H score69 First: 18.05.2026 12:45 Last: 18.05.2026 12:45 Sources 1

About this happening: The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...

Open Happening

Timeline

  1. 24.06.2026 15:48 2 articles · 4h ago

    Cordyceps exposes privileged CI/CD workflows to unauthenticated users

    Initial Disclosure

    Novee Security disclosed Cordyceps, a critical CI/CD workflow weakness that lets an unauthenticated user hijack pull-request automation, forge approvals, push code, or steal credentials in open-source supply chains. The finding covered about 30,000 high-impact repositories and identified more than 300 fully exploitable cases, with examples affecting Microsoft's Azure Sentinel, Google's AI Agent Development Kit, Apache Doris, Cloudflare Workers SDK, and Python Software Foundation's Black, enabling code execution, credential theft, command injection, and workflow takeover.

    Show sources
    Open in new tab