Supply-chain securityCordyceps: when a stranger's pull request runs as a maintainer
Researchers at Novee catalogue Cordyceps, a class of CI/CD supply-chain exploit where pull requests and comments from untrusted contributors get executed with maintainer permissions. A scan of 30,000 high-impact repositories flagged 654 candidates and confirmed over 300 as fully exploitable, with named blast radius inside Microsoft, Google, Apache and Cloudflare.