Cordyceps — GitHub Actions pull_request_target pwn-request class

Novee Security published "Cordyceps", an empirical study of a long-known but persistently unmitigated class of GitHub Actions CI/CD vulnerabilities (Novee Security, 2026-06-23 · SecurityWeek, 2026-06-24). The pattern: a pull_request_target (or comment-triggered) workflow runs with the base repository's write permissions and secrets while checking out or otherwise consuming untrusted fork-PR content, letting an attacker inject code into a privileged CI context (T1195.002). Of ~30,000 high-impact repositories scanned, 654 were flagged and 300+ confirmed fully exploitable — including Microsoft (Azure Sentinel), Google (AI Agent Development Kit), Apache (Doris), Cloudflare (Workers SDK) and the Python Software Foundation (Black) — with exploitation requiring only a free GitHub account and a single PR. Successful exploitation can yield the org's GitHub App key, cloud repository authority, or the ability to publish attacker-controlled packages to trusted registries. GitHub shipped actions/checkout v7 on 18 June with safer pull_request_target defaults that refuse to fetch fork-PR head commits in unsafe patterns (GitHub Changelog, 2026-06-18), but organisations pinning older action versions or running self-managed Enterprise Server are not yet protected. Audit .github/workflows/*.yml for pull_request_target triggers that reference any ${{ github.event.pull_request.* }} context in run:/env: steps; scope GITHUB_TOKEN to contents: read by default; and split build/test onto the unprivileged pull_request trigger.