Between February 21 and February 28, 2026, an autonomous bot named hackerbot-claw launched a week-long attack campaign against major open source repositories. <\/p>\n
It targeted GitHub Actions CI\/CD pipelines belonging to Microsoft, DataDog, the Cloud Native Computing Foundation, and several other widely used projects. <\/p>\n
Over seven days, it opened more than 12 pull requests across at least six repositories and achieved remote code execution in at least four of them.<\/p>\n
The bot\u2019s GitHub profile, created on February 20, 2026, describes it as an \u201cautonomous security research agent powered by claude-opus-4-5\u201d that solicits cryptocurrency donations. <\/p>\n
It operated by loading a vulnerability pattern index containing 9 attack classes and 47 sub-patterns, using those to scan, verify, and deploy proof-of-concept exploits without human direction. <\/p>\n
Its most damaging act was stealing a GitHub token<\/a> with write permissions from the avelino\/awesome-go repository, which holds over 140,000 stars on GitHub.<\/p>\n StepSecurity researchers identified the campaign<\/a> and traced each attack step by step, revealing that hackerbot-claw used five distinct exploitation techniques across seven targets. <\/p>\n The bot\u2019s recent activity log showed five successful sessions in the two days before the campaign was discovered, pointing to an aggressive and ongoing operation.\u00a0<\/p>\n Every attack delivered the same payload \u2014 a curl command reaching out to hackmoltrepeat.com and executing a remote script \u2014 while a secondary domain, recv.hackmoltrepeat.com, collected stolen credentials.<\/p>\n The most severe outcome occurred against Aqua Security\u2019s Trivy repository, a widely used open source vulnerability scanner with over 25,000 GitHub stars. <\/p>\n After stealing a Personal Access Token, the bot renamed the repository, deleted all GitHub Releases between versions 0.27.0 and 0.69.1, and pushed a suspicious artifact to Trivy\u2019s VS Code extension on the Open VSX<\/a> marketplace. Aqua Security later restored public access and published version 0.69.2.<\/p>\n The campaign also marked a notable moment in software security \u2014 an AI-powered bot attempting to manipulate another AI tool into performing malicious actions. <\/p>\n Against the ambient-code\/platform repository, hackerbot-claw replaced the project\u2019s CLAUDE.md file with instructions designed to trick Claude Code into committing unauthorized changes<\/a> and posting fake approval comments. <\/p>\n Claude Code detected the attempt and refused, classifying it as a \u201ctextbook AI agent supply-chain attack via poisoned project-level instructions.\u201d<\/p>\n The central weakness that hackerbot-claw exploited across this campaign was a well-known but often overlooked pattern in GitHub Actions: using the\u00a0 This trigger gives a workflow access to the repository\u2019s secrets and permissions, but when combined with a checkout of the attacker\u2019s fork, it hands that attacker\u2019s code the same elevated access.<\/p>\n In the avelino\/awesome-go attack, the bot injected a Go\u00a0 The bot tried six times over 18 hours, refining its approach with each attempt until the final two runs succeeded and sent the GitHub token to an external server.<\/p>\n Against Microsoft\u2019s ai-discovery-agent repository, the bot embedded the payload directly inside the git branch name using bash command substitution, which triggered when the workflow wrote the unescaped branch name into a file. <\/p>\n The build log showed a 2 minute 38 second delay in a step that normally completes in milliseconds. <\/p>\n DataDog\u2019s datadog-iac-scanner was targeted with base64-encoded shell commands hidden inside submitted file names, triggered via a\u00a0 Organizations should stop using\u00a0 GitHub token permissions should be set to least-privilege \u2014 read-only where write access is not required. CI runners should have outbound network traffic<\/a> monitored and locked to known, trusted endpoints. <\/p>\n Comment-triggered workflows must include an\u00a0 Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0Set CSN as a Preferred Source in\u00a0Google<\/a>.<\/strong><\/p>\n The post Hackerbot-Claw Bot Attacks Microsoft and DataDog via GitHub Actions CI\/CD Misconfiguration<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"How](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEigmHnzrh8xwzX5rg7gBL3pq-TM64v0e4UUe3Aad_52_4smL3wPwSUSKLE3LqutRyXlG8ClxLtRaZ9AOUrBbKDrcAtxIApTA-F5UsiIQOZBge1kk1Dev2ABB_Siheux0NkOCH9vYV3XJNCtqsNFVXIxRkvHUcaQ0ML5I4MpWt31jz-NtQ0H6vrvgit8YW4\/s16000\/How%2520the%2520attack%2520works%2520%28Source%2520-%2520StepSecurity%29.webp?ssl=1\")
![\"Claude](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhcHTtLvz3qIc7JDHeVEpGuYedWgWqbMISn-jArpWxfF9AIC50MSlFafIoFMMUDEkqWmJUp18ZdnjWdl9Ju5BGzDTihzXu7GPGPBkrLN8ocJNtDdRBI1gCSoyrndexgPucH5WAdpsDHhori-4G4mKEJtYcec_TQuc1qspeW0xinNI9vsNo1qAh1VF2Vv64\/s16000\/Claude%2520Code%2520Security%2520Warning%2520%28Source%2520-%2520StepSecurity%29.webp?ssl=1\")
How the Bot Exploited CI\/CD Workflows<\/strong><\/h2>\n
pull_request_target<\/code>\u00a0trigger while checking out code from an untrusted fork. <\/p>\ninit()<\/code>\u00a0function into a quality check script. Because Go runs\u00a0init()<\/code>\u00a0automatically before\u00a0main()<\/code>, the malicious code executed before any legitimate checks ran. <\/p>\n\/sync-metadata<\/code>\u00a0pull request comment. DataDog deployed emergency workflow patches within nine hours.<\/p>\npull_request_target<\/code>\u00a0alongside untrusted fork checkouts. All\u00a0${{ }}<\/code>\u00a0expressions used in shell run blocks should be passed through environment variables to prevent injection. <\/p>\nauthor_association<\/code>\u00a0gate to confirm that the commenter holds the appropriate repository role before any script is executed.<\/p>\n