Researchers Detail GitHub Actions CI Pattern That Evades Common Security Scanners

Security researchers have identified a GitHub Actions weakness that can remain invisible to standard CI security tools because the problem lies not in a single workflow file, but in how multiple workf...

Security researchers have identified a GitHub Actions weakness that can remain invisible to standard CI security tools because the problem lies not in a single workflow file, but in how multiple workflows interact.

In June 2026, Novee Security said it reviewed about 30,000 high-value repositories across npm, PyPI, crates.io and Go projects and found 654 potentially affected cases. More than 300 were confirmed to be exploitable. The issue, dubbed Cordyceps, affected build pipelines used by major organizations including Microsoft, Google, Apache, Cloudflare and the Python Software Foundation.

According to the researchers, attackers only needed a free GitHub account to begin abusing the pattern. The danger appeared when workflows designed for untrusted pull requests were combined with higher-privilege workflows that could access secrets or write permissions. GitHub Security Lab has described similar abuse paths as a pwn request.

How the attack works

The report highlights three common paths to compromise:

  • Command injection when attacker-controlled values are inserted directly into shell commands.
  • Code injection when workflow scripts evaluate untrusted input as JavaScript.
  • Cross-workflow privilege escalation when data from a low-trust job is consumed by a later, privileged job.

Because each individual workflow file can appear valid on its own, scanners that inspect one file at a time may not flag the risk. Novee’s point is that the flaw emerges from the connection between workflows, not from a single malformed line.

The researchers cited examples involving Microsoft’s Azure Sentinel repository, where a pull request comment could trigger code execution in CI and expose a GitHub App key, and Google’s AI Agent Development Kit sample project, where a similar chain could lead to broad cloud access. Apache Doris was also reported to have had a related issue that was later fixed.

Novee said it found no evidence the technique was used in active attacks. Still, the report warns that AI-assisted development may amplify the problem by generating insecure workflow patterns at scale. Recommended defenses include using pull_request instead of pull_request_target for untrusted contributions, limiting default token permissions, pinning third-party actions to commit SHAs, and requiring manual approval before privileged jobs run.