Critical Cordyceps CI/CD Flaws Expose Over 300 GitHub Repositories to Supply-Chain Attacks

A Hidden Trap in the Factory

Imagine a massive factory where thousands of workers are building toys. But instead of building the toys from scratch, they use pre-made boxes of Lego pieces that arrive every morning. Now, imagine a sneaky person manages to open those boxes at night, put a tiny, broken piece inside, and seal them back up. When the workers build the toys, the broken piece makes the whole toy fall apart or do something dangerous. In the software world, this is called a "supply-chain attack," and the pre-made boxes are called CI/CD pipelines. CI/CD stands for Continuous Integration and Continuous Deployment, which is just a fancy way of saying "the automated factory line that builds and delivers software."

On June 24, 2026, cybersecurity researchers at The Hacker News revealed a terrifying new threat called the "Cordyceps CI/CD Flaws." Just like the fungus that takes over ants, these flaws have infected over 300 popular GitHub repositories. The attackers found a way to sneak malicious code into the automated systems that software developers use to update their projects. This means that when a developer tries to update their software, the system accidentally downloads the virus instead.

How the Attack Works

The Cordyceps flaws target the "actions" or small scripts that developers use to automate their work. For example, a developer might use a script that automatically checks their code for spelling errors before publishing it. The hackers created fake versions of these helpful scripts that look exactly like the real ones. When a company downloads the fake script, it gives the hackers a "backdoor" into the company’s entire computer network. From there, the hackers can steal passwords, lock files for ransom, or spy on private communications.

What makes the Cordyceps attack so dangerous is that it targets the tools that developers trust the most. GitHub is the largest home for open-source code in the world. By compromising the CI/CD pipelines, the attackers are not just breaking into one computer; they are poisoning the water supply for hundreds of different software projects at once. Security experts are urging every developer to immediately check their GitHub repositories and ensure they are only using verified, official scripts for their automated factory lines.