Cordyceps flaws in GitHub Actions enable unauthenticated repo takeovers across 654 scanned projects

The defects stem from untrusted inputs crossing trust boundaries in workflow composition: pull request comments or forks invoke jobs that output to high-privilege steps authenticating to AWS, GCP or package registries. Scans flagged 654 repositories with command injection, artifact poisoning and self-hosted runner compromise paths; 300+ permitted full code execution or credential exfiltration without membership. Affected projects include Azure Sentinel, Google AI Agent Kit, Apache Doris, Cloudflare Workers SDK and PSF Black, all using patterns auto-generated by agentic coding tools. Traditional scanners miss these because each YAML fragment validates individually while the data flow does not. Evidence appears in public .github/workflows files across the supply chain, confirming the pattern predates any single disclosure. This matches prior incidents where CI scripts were treated as non-code despite holding signing keys and publish tokens. The composition failure scales because agentic tools reproduce the same insecure templates into thousands of downstream forks and dependents. Next, maintainers must treat workflow files as security-critical code requiring explicit input sanitization and least-privilege job separation rather than relying on GitHub's default PR triggers.