The GitHub Actions Attack Pattern Your CI Security Scanners Miss
The Cordyceps attack pattern exploits the composition of GitHub Actions workflows in CI/CD pipelines, allowing attackers with only a free GitHub account to execute code with elevated privileges. This attack chain abuses the context in which certain GitHub Actions triggers run, enabling command injection, code injection, and cross-workflow privilege escalation. Traditional CI security scanners fail to detect this because each individual workflow file is valid and passes scans, but their combined behavior creates the vulnerability. Major organizations including Microsoft, Google, and Apache have confirmed and patched instances of this issue. Immediate mitigations include preferring safer workflow triggers, restricting permissions, pinning actions, and gating privileged workflows. The root cause is a lack of governance over what is trusted in the build pipeline, especially as AI-generated workflows increase the volume of unchecked changes.
AI Analysis
Technical Summary
Researchers at Novee Security identified a class of CI/CD weaknesses called Cordyceps affecting GitHub Actions workflows. The vulnerability arises from how workflows triggered by pull_request_target and workflow_run execute in the base repository context with access to secrets and write tokens, while processing attacker-controlled input from pull requests. This enables a multi-step attack chain involving command injection, code injection via github-script, and cross-workflow privilege escalation. Each workflow file individually is valid and passes static and dynamic analysis scanners, so the vulnerability is in their composition rather than any single file. Confirmed exploits include stealing non-expiring GitHub App keys and escalating cloud project roles. The issue is not a single CVE but a pattern that evades detection and requires governance of trust boundaries in CI/CD pipelines. Vendors have hardened or patched affected repositories, but the pattern remains largely unmitigated industry-wide. Recommended mitigations include using safer triggers, restricting permissions, pinning action versions, and manual approvals for untrusted contributors. The underlying challenge is managing trust at the source of CI/CD inputs, especially as AI-driven workflow generation accelerates.
Potential Impact
The impact includes unauthorized code execution within CI pipelines with access to repository secrets and tokens, leading to credential theft and privilege escalation. This can result in persistent write access to critical security content, such as detection rules and automated playbooks, potentially compromising downstream consumers. Confirmed cases involved Microsoft, Google, and Apache projects, where attackers could steal non-expiring keys or escalate to owner-level cloud roles. The vulnerability allows attackers with minimal prerequisites (a free GitHub account) to exploit trusted workflows, bypassing traditional security scanners. No evidence of exploitation in the wild was found at the time of disclosure, but the pattern is proven exploitable and widespread.
Mitigation Recommendations
Vendors and organizations have hardened or patched affected repositories, but the pattern is not fully mitigated industry-wide. Immediate recommended mitigations include: preferring the pull_request trigger over pull_request_target for untrusted contributions; avoiding checking out pull request code in privileged workflows; passing event data via quoted environment variables instead of inline shell commands; defaulting permissions to read-only; pinning third-party actions to specific commit SHAs rather than floating tags; and gating privileged workflows behind manual approval for first-time contributors. The fundamental mitigation is to govern and verify the provenance of all components and workflows entering the build pipeline, ensuring trust boundaries are explicitly audited and managed. Patch status is not explicitly stated; check vendor advisories for updates. No action is required if these mitigations are already in place.
The GitHub Actions Attack Pattern Your CI Security Scanners Miss
Description
The Cordyceps attack pattern exploits the composition of GitHub Actions workflows in CI/CD pipelines, allowing attackers with only a free GitHub account to execute code with elevated privileges. This attack chain abuses the context in which certain GitHub Actions triggers run, enabling command injection, code injection, and cross-workflow privilege escalation. Traditional CI security scanners fail to detect this because each individual workflow file is valid and passes scans, but their combined behavior creates the vulnerability. Major organizations including Microsoft, Google, and Apache have confirmed and patched instances of this issue. Immediate mitigations include preferring safer workflow triggers, restricting permissions, pinning actions, and gating privileged workflows. The root cause is a lack of governance over what is trusted in the build pipeline, especially as AI-generated workflows increase the volume of unchecked changes.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Researchers at Novee Security identified a class of CI/CD weaknesses called Cordyceps affecting GitHub Actions workflows. The vulnerability arises from how workflows triggered by pull_request_target and workflow_run execute in the base repository context with access to secrets and write tokens, while processing attacker-controlled input from pull requests. This enables a multi-step attack chain involving command injection, code injection via github-script, and cross-workflow privilege escalation. Each workflow file individually is valid and passes static and dynamic analysis scanners, so the vulnerability is in their composition rather than any single file. Confirmed exploits include stealing non-expiring GitHub App keys and escalating cloud project roles. The issue is not a single CVE but a pattern that evades detection and requires governance of trust boundaries in CI/CD pipelines. Vendors have hardened or patched affected repositories, but the pattern remains largely unmitigated industry-wide. Recommended mitigations include using safer triggers, restricting permissions, pinning action versions, and manual approvals for untrusted contributors. The underlying challenge is managing trust at the source of CI/CD inputs, especially as AI-driven workflow generation accelerates.
Potential Impact
The impact includes unauthorized code execution within CI pipelines with access to repository secrets and tokens, leading to credential theft and privilege escalation. This can result in persistent write access to critical security content, such as detection rules and automated playbooks, potentially compromising downstream consumers. Confirmed cases involved Microsoft, Google, and Apache projects, where attackers could steal non-expiring keys or escalate to owner-level cloud roles. The vulnerability allows attackers with minimal prerequisites (a free GitHub account) to exploit trusted workflows, bypassing traditional security scanners. No evidence of exploitation in the wild was found at the time of disclosure, but the pattern is proven exploitable and widespread.
Mitigation Recommendations
Vendors and organizations have hardened or patched affected repositories, but the pattern is not fully mitigated industry-wide. Immediate recommended mitigations include: preferring the pull_request trigger over pull_request_target for untrusted contributions; avoiding checking out pull request code in privileged workflows; passing event data via quoted environment variables instead of inline shell commands; defaulting permissions to read-only; pinning third-party actions to specific commit SHAs rather than floating tags; and gating privileged workflows behind manual approval for first-time contributors. The fundamental mitigation is to govern and verify the provenance of all components and workflows entering the build pipeline, ensuring trust boundaries are explicitly audited and managed. Patch status is not explicitly stated; check vendor advisories for updates. No action is required if these mitigations are already in place.
Technical Details
- Article Source
- {"url":"https://www.bleepingcomputer.com/news/security/the-github-actions-attack-pattern-your-ci-security-scanners-miss/","fetched":true,"fetchedAt":"2026-07-07T14:13:22.479Z","wordCount":1333}
Threat ID: 6a4d0982c9d9e3dbe3483800
Added to database: 07/07/2026, 14:13:22 UTC
Last enriched: 07/07/2026, 14:13:32 UTC
Last updated: 07/07/2026, 17:06:51 UTC
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.