Security researchers at Novee Security have disclosed a systemic class of CI/CD vulnerabilities in GitHub Actions dubbed "Cordyceps," which allows unauthenticated attackers using free GitHub accounts to hijack build pipelines, steal credentials, and push malicious code. By scanning roughly 30,000 high-impact repositories, the team identified 654 flagged projects and confirmed more than 300 as fully exploitable, including critical infrastructure from Microsoft, Google, Apache, Cloudflare, and the Python Software Foundation. The flaw stems from insecure YAML configurations that let external inputs like pull request comments cross trust boundaries into high-privilege workflows, enabling attackers to forge approvals and compromise software supply chains for downstream consumers. While all confirmed vulnerabilities have been patched by the affected organizations, researchers warn that AI coding agents are increasingly spreading these same insecure patterns across major ecosystems like npm, PyPI, and Go.