Cordyceps Supply Chain Vulnerability Threatens Thousands of Code Repositories

The Cordyceps vulnerability, a serious supply chain flaw, allows unauthenticated attackers to control Git-based workflows, impacting thousands of organizations. Novee's scan of 30,000 repositories identified 654 instances of this vulnerability, with over 300 fully exploitable chains. Major companies like Microsoft, Google, Apache, Cloudflare, and the Python Software Foundation have confirmed affected systems. Attackers can exploit this vulnerability through command injection, broken authentication, and privilege escalation in GitHub Actions YAML files. The flaw arises from treating workflows as configuration rather than code, allowing untrusted data to cross trust boundaries. Concrete examples include the theft of a GitHub App key from Microsoft and the ability to exfiltrate credentials from Apache's Doris repository. The vulnerability is systemic and potentially affects millions of repositories, highlighting the inadequacy of legacy security tools. Immediate action is necessary to mitigate risks associated with this vulnerability.

Key Points: • Cordyceps vulnerability affects thousands of organizations, allowing control over Git workflows. • Novee identified 654 instances and over 300 exploitable chains in a scan of 30,000 repositories. • Major companies including Microsoft and Google confirmed vulnerabilities in their systems.