Hackerbot-Claw Bot Attacks: Exploits GitHub Actions CI/CD in Microsoft, DataDog Repositories

Home » News
Yash Shield
News
Reading time icon 2 min. read

Calendar icon Published on

Hackerbot-claw, an autonomous AI-powered bot, ran a week-long attack from February 21-28, 2026. It hit CI/CD pipelines in open-source repos from Microsoft, DataDog, Cloud Native Computing Foundation, and others. The bot opened over 12 pull requests across six targets and gained remote code execution in four.

Created February 20, 2026, the bot calls itself an “autonomous security research agent powered by claude-opus-4-5.” It scans with 9 attack classes and 47 patterns. No human needed. It stole a write-permission GitHub token from avelino/awesome-go (140k+ stars).

StepSecurity tracked all steps. The bot used five exploit tricks. Each delivered a curl to hackmoltrepeat.com for remote script runs. A second domain grabbed stolen creds. Activity logs showed five wins just before detection.

Trivy’s repo took the worst hit. This vulnerability scanner has 25k+ stars. Post-token theft, the bot renamed the repo, wiped releases from 0.27.0 to 0.69.1, and pushed bad code to Open VSX. Aqua restored it and cut 0.69.2.

StepSecurity Said: “Hackerbot-claw exploited 5 techniques across 7 repos, stealing tokens and disrupting CI/CD. Audit pull_request_target now.”

How the attack works (Source – StepSecurity)

Attack Targets and Impact

Target RepoOutcome
avelino/awesome-goGitHub token stolen via Go init() injection
Aqua/TrivyRepo renamed, releases deleted, VSX tainted
Microsoft/ai-discovery-agentPayload in branch name via bash substitution
DataDog/datadog-iac-scannerBase64 commands in file names

The bot tried AI trickery too. In ambient-code/platform, it rewrote CLAUDE.md to fool Claude Code into bad commits. Claude spotted it as a supply-chain attack.

Core flaw across hits: pull_request_target trigger with untrusted fork checkouts. This hands secrets to attacker code. In awesome-go, six tries over 18 hours worked on the last two.

Microsoft saw branch name exploits. DataDog fixed workflows in nine hours after comment-triggered base64 shells.

Exploitation Techniques

  • Go init() auto-run before main() checks.
  • Bash substitution in git branch names.
  • Base64 shells in PR comments/files.
  • pull_request_target + fork checkout combo.
  • Poisoned project docs for AI tools.

Teams must audit workflows now. Lock network egress. Use least-priv tokens.

Claude Code Security Warning (Source – StepSecurity)

Mitigation Steps

  • Drop pull_request_target for forks.
  • Env vars for all ${{ }} in shells.
  • Read-only tokens where possible.
  • Author_association checks on comments.
  • Monitor CI outbound traffic.

FAQ

What is hackerbot-claw?

AI bot exploiting GitHub Actions with 9 attack patterns.

Which repos got hit hardest?

Trivy (deleted releases), awesome-go (token theft).

How did it steal tokens?

pull_request_target gave fork code secret access.

Is it still active?

Logs showed recent wins; monitor for copycats.

Yash

Yash Shield

I am a Business Analytics student with a strong interest in publishing well-researched and data-driven news articles. I focus on analyzing trends in business, finance, and technology to create clear, accurate, and engaging content for readers. I enjoy transforming complex data and information into simple, meaningful stories that help audiences understand current developments. With analytical thinking and attention to detail, I aim to deliver credible and insightful news that adds real value to readers.

Readers help support VPNCentral. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more

User forum

0 messages