logo

'Cordyceps': Mushrooming Malicious Pull Requests Threaten Developer Workflows

ID: 66838ede-c39e-59d9-8a61-40170e98c8c9

STIX ID: report--66838ede-c39e-59d9-8a61-40170e98c8c9

Feed Name: Dark Reading

Threat Score
70/100

Date Published: 2026-06-23

Date Updated: 2026-06-24

Author: Alexander Culafi

...
...

Novee security researcher Elad Meged disclosed a class of CI/CD workflow weaknesses named “Cordyceps” in which attacker-controlled pull requests can run code in CI environments, steal high-privilege credentials (signing keys, tokens), publish malicious packages, and otherwise compromise software supply chains; Novee flagged 654 potentially vulnerable repositories (300 confirmed fully exploitable) and vendors including Microsoft and Google validated or mitigated impacts, prompting recommendations to inventory and harden workflows and treat workflow YAML as code.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.