Researchers have discovered a critical vulnerability affecting thousands of open-source projects hosted on GitHub, including repositories from Microsoft, Google, Apache, and Cloudflare. The Cordyceps vulnerability enables attackers to compromise CI/CD pipelines, execute arbitrary code, steal credentials, and potentially inject malicious updates into widely-used software projects.
Analysis of approximately 30,000 popular repositories identified 654 potentially vulnerable projects, with more than 300 confirming real-world exploitation potential. The vulnerability's systemic nature suggests it could affect millions of additional repositories across the platform, posing significant supply-chain risks to enterprises and developers relying on open-source dependencies.
The threat remains difficult to detect using conventional security tools because the vulnerability emerges from interactions between multiple CI/CD processes rather than isolated code vulnerabilities. This detection gap creates a heightened risk window for malicious actors targeting critical infrastructure and cryptocurrency projects that depend on secure code repositories and deployment pipelines.