'Cordyceps': Mushrooming Malicious Pull Requests Threaten Developer Workflows
Summary
A new supply chain attack dubbed 'Cordyceps' exploits weaknesses in CI/CD workflows by submitting malicious pull requests. This attack has impacted several prominent projects, including Microsoft's Azure Sentinel, Google's AI Agent Development Kit, Apache Doris, Cloudflare's Workers SDK, and the Python Software Foundation's Black.
IFF Assessment
This attack vector targets the software development lifecycle, potentially injecting malicious code into widely used tools and services, posing a significant threat to defenders.
Defender Context
Defenders need to be vigilant about supply chain attacks that leverage CI/CD pipelines, as these can compromise the integrity of software used by many organizations. Implementing robust code review processes, dependency scanning, and verifying the authenticity of code submissions are crucial mitigation strategies.