A new vulnerability known as 'Cordyceps' threatens CI/CD workflows by allowing attackers to exploit malicious pull requests to compromise software supply chains. The issue affects notable platforms including Microsoft's Azure Sentinel and Google's AI Agent Development Kit, with reports indicating that 654 repositories could potentially be exploited. Key points include:
1. The vulnerability lies in access permissions granted to pull requests, allowing unauthorized actions such as code execution and credential theft.
2. Novee, a security firm, confirmed 300 repositories are fully exploitable.
3. The threat enables significant issues like signature spoofing and the distribution of malicious code.
4. Recommendations for organizations include securing developer workflows by treating CI/CD workflows as sensitive code assets and auditing access permissions.