- Cordyceps is a novel attack technique using malicious pull requests to compromise CI/CD pipelines.
- The attack bypasses standard security checks by disguising malicious code within seemingly legitimate changes.
- Major developer tools from Microsoft, Google, Apache, and Cloudflare are among the affected projects.
- Cordyceps exploits the trust placed in automated build and deployment systems, turning them into vectors for attack.
- The sophisticated nature of the attack makes it difficult to detect, as malicious code can lie dormant or mimic normal operations.
- Strengthening manual code review processes and hardening CI/CD pipelines are crucial mitigation steps.
It starts with a harmless-looking line of code. A developer sees a pull request from a trusted collaborator, clicks merge, and the code flows into the project. But behind that innocent keystroke lies a silent invasion. The code is not what it seems. It carries a hidden payload, designed to slip through automated checks and burrow deep into the software supply chain.
This is Cordyceps, a new class of malicious pull request attack that security researchers have discovered targeting the continuous integration and continuous deployment (CI/CD) pipelines of some of the most widely used developer tools in the world. The name, inspired by a parasitic fungus that takes over its host, is fitting. Cordyceps does not just break into a system. It infiltrates the very process by which software is built and shipped, turning trusted workflows into weapons against the developers who rely on them.
The attack affects major projects from Microsoft, Google, Apache, Cloudflare, and the Python Software Foundation. Researchers warn that Cordyceps is not a single vulnerability but a technique that exploits a fundamental weakness in how open-source software is reviewed and integrated. And it is spreading fast.
The Threat: Cordyceps Malicious Pull Requests Exploit CI/CD Pipelines
Cordyceps is not a virus that spreads through email or a phishing link. It is a carefully crafted attack on the software development process itself. The method involves submitting a pull request that appears legitimate to human reviewers but contains hidden malicious code. That code is designed to execute automatically when the pull request is merged into the project’s main branch and the CI/CD pipeline runs tests or builds.
What makes Cordyceps particularly dangerous is its ability to bypass standard security checks. Many open-source projects rely on automated testing and code review to catch malicious changes. But Cordyceps is engineered to look benign. The malicious code may be hidden in comments, unused functions, or configuration files that are not scrutinized as closely as core logic. It can also be disguised as a routine bug fix or performance improvement, making it easy for busy maintainers to approve without a second thought.
Security researchers first identified the Cordyceps pattern after noticing a series of suspicious pull requests in several high-profile repositories. These pull requests shared common characteristics: they came from seemingly legitimate contributors with past contributions, they addressed real issues or added requested features, but they contained subtle, hidden changes that, when triggered by the CI/CD pipeline, would execute unauthorized actions. The researchers have not disclosed the full technical details of how Cordyceps works, to prevent copycat attacks, but they have confirmed that it exploits trust in automated systems.
The term “mushrooming” used in early reports captures how quickly this threat is growing. Unlike traditional attacks that target a single vulnerability, Cordyceps exploits a structural weakness in the open-source ecosystem. As more projects adopt CI/CD pipelines and automated merge approvals, the attack surface expands. Each new project that trusts its automated pipeline is a potential entry point.
Affected Projects: Major Tools from Microsoft, Google, and More
The list of affected projects reads like a who’s who of modern software development. Microsoft’s Azure Sentinel, a cloud-native security information and event management (SIEM) platform, is among the targets. Google’s AI Agent Development Kit, which helps developers build AI-powered applications, is also vulnerable. Apache Doris, a real-time analytics database used for big data workloads, has been hit. Cloudflare’s Workers SDK, which lets developers run serverless code on Cloudflare’s edge network, is on the list. And the Python Software Foundation’s Black, a popular code formatter used by millions of Python developers, is affected as well.
These are not obscure hobby projects. They are core tools that thousands of developers rely on every day. Azure Sentinel helps security teams detect threats across entire organizations. Google’s AI Agent Kit is used to build intelligent applications that handle sensitive data. Apache Doris powers analytics at companies like Weibo and JD.com. Cloudflare Workers SDK runs code on the edge, close to users. And Black is a standard tool in many Python development workflows.
Because the attack targets the CI/CD pipeline itself, the damage is not limited to the project’s codebase. If an attacker successfully plants malicious code through Cordyceps, that code could be distributed to every user who installs or updates the software. For a tool like Black, which runs on developers’ machines and can modify code, the implications are severe. An attacker could inject vulnerabilities into the output of the formatter, affecting projects that trust Black to produce clean, safe code.
The researchers who discovered Cordyceps have not released a full list of affected organizations beyond those named in the initial report. It is likely that many other projects are vulnerable, especially those that rely on automated pull request merging or that have large numbers of external contributors. The attack does not require a breach of the main repository’s credentials. It only needs one compromised contributor account or one cleverly crafted pull request that passes the review process.
How Cordyceps Works: Exploiting Trust in Automated Systems
To understand Cordyceps, you need to understand how modern software development works. Most large projects use a CI/CD pipeline. When a developer submits a pull request, automated systems run tests, check for security issues, and build the software. If everything passes, the pull request can be merged automatically or with minimal human review. This system is built on trust: trust that the automated checks are thorough, trust that the code reviewer catches anything the bots miss, and trust that the contributor is not malicious.
Cordyceps attacks that trust from multiple angles. First, the attacker creates a pull request that looks normal. The code changes are small and focused on a real issue, like a bug fix or a minor feature addition. The automated tests pass. The code review notes no problems. The pull request is merged. But hidden inside the change is a subtle injection: a line that modifies a build script, a dependency that points to a malicious package, or a configuration that enables a backdoor.
Once merged, the malicious code does not activate immediately. It waits. It might only run in certain conditions, such as when the software is deployed to production, or when a specific API is called. This makes detection even harder. The code is not a simple virus that triggers on every execution. It is a sleeper agent, designed to blend in until the attacker decides to wake it.
The CI/CD pipeline itself becomes the vector. Because the pipeline runs with elevated privileges-it can deploy code to production, access secrets, and modify infrastructure-a successful Cordyceps attack can give the attacker a foothold deep inside the development environment. From there, they can steal credentials, inject further backdoors, or exfiltrate sensitive data.
This is not a theoretical risk. Researchers have observed Cordyceps in the wild targeting the very systems that are supposed to protect software supply chains. The attack is particularly effective because it exploits the automation that developers rely on to move fast. In the race to ship features, security reviews can become perfunctory. Automated tests are trusted to catch everything. Cordyceps exploits that trust.
Why Cordyceps Matters Now: The Evolving Software Supply Chain Threat
The Cordyceps attack comes at a time when software supply chain security is already under intense scrutiny. High-profile breaches like SolarWinds and Log4j have shown that a single compromised dependency can affect thousands of organizations. But those attacks targeted specific vulnerabilities in widely used components. Cordyceps is different. It targets the process itself.
Open-source projects are particularly vulnerable because they rely on volunteer maintainers who may not have the time or resources to thoroughly review every pull request. Many projects use automated tools to help manage the flood of contributions, but those tools can be fooled by a cleverly crafted attack. Cordyceps is designed to do exactly that.
The technique is also evolving. Earlier malicious pull request attacks were often crude, inserting obvious backdoors or malware that was quickly caught. Cordyceps is more sophisticated. It hides its payload in places that are not typically scanned, such as documentation files, test data, or configuration templates. It can also use legitimate features of the CI/CD system, like running scripts during build, to execute its payload without triggering alarms.
Another reason this matters now is the increasing adoption of AI-assisted coding tools. These tools can generate code that is syntactically correct but semantically subtle. An attacker could use AI to craft a malicious pull request that looks exactly like a normal contribution from a real developer. The code would pass all automated checks and even fool a human reviewer who is not looking carefully. Cordyceps shows that the threat landscape is evolving faster than the defenses.
For organizations using the affected projects, the risk is immediate. If an attacker has successfully planted a Cordyceps-style pull request in any of these tools, the malicious code could already be in production. The attack is hard to detect because it does not leave obvious traces. Standard vulnerability scanners may not catch it because the code is not a known malware signature. It is custom-built for each target.
Mitigation: How Developers Can Combat Cordyceps Malicious Pull Requests
There is no single fix for Cordyceps. The attack exploits a systemic weakness in how open-source projects manage contributions. But there are steps developers and organizations can take to reduce the risk.
First, review processes must be strengthened. Automated checks are not enough. Every pull request should be reviewed by at least one human who understands the code deeply. Reviewers should look not just at the changes themselves but at the context around them. Why was this change made? Does it touch sensitive parts of the system? Is there any reason to trust this contributor?
Second, CI/CD pipelines should be hardened. Secrets and credentials should never be exposed to build scripts that can be modified by pull requests. Pipeline permissions should be limited to only what is necessary. Build steps should be sandboxed so that even if malicious code runs, it cannot escape to other parts of the system.
Third, projects should consider using tools that detect anomalous changes in pull requests. These can flag changes that are unusually large, touch unexpected files, or come from new contributors with no history in the project. While no tool is perfect, adding layers of detection can make it harder for an attacker to slip through.
Fourth, the open-source community needs better ways to verify contributor identity. Many malicious pull requests come from accounts that appear legitimate but are actually fake or compromised. Projects should require two-factor authentication for contributors and use digital signatures for code changes where possible.
Finally, organizations should have incident response plans that cover supply chain attacks. If a malicious pull request is discovered, there must be a process to roll back the change, notify downstream users, and investigate the scope of the compromise. The speed at which Cordyceps can spread means that every hour of delay increases the damage.
The discovery of Cordyceps is a wake-up call for the entire software industry. The open-source ecosystem runs on trust, but that trust must be backed by robust security practices. As attackers get smarter, the tools and processes that developers rely on must evolve to meet the threat. The code that builds our code must be as secure as the code we ship.
Researchers have not yet released detailed mitigation steps for the specific vulnerabilities exploited by Cordyceps. They are working with the affected organizations to develop patches. In the meantime, developers should treat every pull request with suspicion, especially those that make changes to build scripts, configuration files, or dependency lists. The quiet, silent invasion has already begun. It is up to the community to stop it before it spreads further.
Frequently Asked Questions
What is Cordyceps?
Cordyceps is a new class of malicious pull request attack that targets the CI/CD pipelines of developer tools. It involves submitting seemingly legitimate code changes that contain hidden malicious code designed to execute during the build or deployment process.
How does Cordyceps work?
Attackers craft pull requests that appear normal to human reviewers and automated tests. The malicious code is often hidden in comments, configuration files, or disguised as minor fixes. Once merged, it can execute when the CI/CD pipeline runs, potentially giving attackers deep access to development environments.
Which major projects are affected by Cordyceps?
Several high-profile projects have been affected, including Microsoft Azure Sentinel, Google AI Agent Development Kit, Apache Doris, Cloudflare Workers SDK, and the Python Black code formatter.
Why is Cordyceps dangerous?
It exploits the trust inherent in automated software development workflows, making it hard to detect. Successful attacks can lead to code injection, credential theft, and the distribution of malware to end-users through compromised tools.
How can developers protect themselves from Cordyceps?
Developers should strengthen manual code review processes, harden CI/CD pipelines by limiting permissions and sandboxing build steps, use tools to detect anomalous changes, and improve contributor identity verification.
Is Cordyceps a virus?
No, Cordyceps is not a traditional virus. It's an attack technique that leverages the software development process itself, specifically the merging of pull requests and the execution within CI/CD pipelines, to introduce malicious code.
Can standard security scanners detect Cordyceps?
Standard vulnerability scanners may not effectively detect Cordyceps because the malicious code is often custom-built and designed to blend in, rather than matching known malware signatures. Detection often relies on careful manual review and anomaly detection.
