AI Coding Tools Are Spreading the Same CI/CD Security Flaw Everywhere

AI Coding Tools Are Spreading the Same CI/CD Security Flaw Everywhere

By Michael N. | Category AI | 6/26/2026

Named After a Parasite for a Reason

Novee called it Cordyceps, after the fungus that hijacks insects and uses them to spread itself further. Accurate name.

The flaw lives in GitHub Actions workflows — the automated pipelines that test, build, and deploy code. They hold API keys, signing certificates, and deployment credentials. Get into one and you can push malicious code into a release before it ships. Everyone who installs that software downstream gets the payload.

Novee scanned 30,000 repositories. They flagged 654. Over 300 were fully exploitable with a free GitHub account. No org membership, no special access.

AI Turned One Bad Pattern Into Millions

The same misconfiguration showing up across hundreds of orgs isn't a coincidence. AI coding tools learn from existing code. When a flawed workflow pattern is common enough, those tools start treating it as correct. Developer asks for a GitHub Actions setup, gets back the broken pattern, ships it. Repeat across millions of projects.

Novee's Elad Meged said it plainly: AI agents generate CI/CD config fast and reproduce the same insecure patterns over and over.

What Attackers Actually Got Access To

Each named org had confirmed exploits:

Microsoft Azure Sentinel — a PR comment ran attacker code on Microsoft's CI and stole a non-expiring GitHub App key. That key had write access to security content shipped directly into customer workspaces.

Google ADK — one malicious pull request handed an attacker owner-level access over the associated Google Cloud project.

Apache Doris — two separate zero-click attack paths, both ending in credential theft.

Python's Black formatter — 130 million downloads a month. Any PR could steal the project's bot token and open a path to poisoned Docker images.

All have been patched.

If You Run GitHub Actions

Three things to check:

  • Audit which events trigger your pipelines. pull_request_target runs with elevated permissions even from forks.
  • Scope your secrets. Secrets available to all workflows are a wider target than secrets tied to specific environments.
  • Treat AI-generated workflow files like third-party code. Read them before you run them.

Novee's full write-up has the technical detail. GitHub's Actions hardening guide covers the defensive side.

The Patches Don't Fix the Pattern

The 300 confirmed repos are patched. The pattern isn't gone. AI tools still have the bad workflows in their training data. Developers are still getting the same suggestions. The repos created yesterday and the ones created tomorrow carry the same risk Novee spent months tracking down.

🔑 Key Terms

CI/CD — automated pipelines that build, test, and deploy code. They hold credentials and have broad system access.

Supply-chain attack — targeting the build process rather than end users. Compromise one package or pipeline, reach everyone downstream.

pull_request_target — a GitHub Actions trigger that runs with elevated permissions even for PRs from outside contributors. Common entry point in this attack class.

Artifact poisoning — injecting malicious content into build outputs so downstream users install it on update.

📚 Sources

Novee Security — Cordyceps: The Silent Parasite Consuming Your Supply Chain

The Hacker News — Cordyceps CI/CD Flaws Expose 300+ GitHub Repos to Supply-Chain Attacks

Dark Reading — 'Cordyceps': Malicious Pull Requests Threaten CI/CD Workflows

Hackread — 'Cordyceps' CI/CD Flaw Exposes Microsoft, Google, Apache Repos to Pipeline Hijacking