GitHub Actions attack pattern that eludes CI scanners
🛡️ In June 2026, Novee Security disclosed "Cordyceps," a CI/CD composition weakness across thousands of high-impact repositories that flagged 654 and confirmed 300+ exploitable cases. The issue stems from how GitHub Actions events like pull_request_target and workflow_run execute with elevated privileges and can be tricked into running attacker-controlled content. Each workflow file appears valid, so SAST/DAST tools miss the cross-file composition that enables command, code injection and cross-workflow privilege escalation. Vendors have patched, but the broader governance gap—exacerbated by AI-generated workflows—remains and requires stricter trust boundaries and provenance controls.
