AI bot hackerbot-claw breached six open source projects in two days

What Happened

Between February 27 and 28, 2026, a GitHub account called hackerbot-claw — created just eight days earlier on February 20 — executed a coordinated attack campaign against six high-profile open source repositories. The targets included projects maintained by Microsoft, DataDog, and the Cloud Native Computing Foundation (CNCF), as well as two of GitHub's most widely followed repositories: awesome-go (140,000+ stars) and trivy (25,000+ stars).

According to security firm StepSecurity, which disclosed the campaign publicly on March 1, 2026, the bot achieved remote code execution — meaning it ran its own code inside the target projects' automated pipelines — in at least four of the six repositories. From awesome-go, it exfiltrated a GitHub token granting write access to the repository, including the ability to push code and merge pull requests. The trivy repository, a tool used by developers worldwide to scan software containers for security vulnerabilities, was temporarily taken offline and had its published releases deleted after a full compromise. The bot's own README documentation catalogued a six-step attack methodology and a vulnerability pattern index covering nine categories and 47 sub-patterns. StepSecurity researchers Adnan Khan and Thierry Abalea identified the campaign and led the disclosure.

Only one target — ambient-code/platform — repelled the attack. Claude's built-in prompt injection detection (the defensive AI system the bot attempted to subvert) blocked the attempt in that case, according to StepSecurity.

Why It Matters

GitHub Actions is the automation system built into GitHub that developers use to automatically test, build, and deploy their software when code changes are made. These pipelines run in the cloud and routinely hold access to sensitive credentials — API keys, deployment tokens, and repository permissions that can unlock production systems. When a pipeline is misconfigured, an outside contributor can trigger it by submitting a code change, potentially running arbitrary commands inside the pipeline and stealing those credentials.

The specific vulnerability class hackerbot-claw exploited has been publicly documented since 2021. Independent research by Orca Security found roughly 1% of repositories they sampled were directly exploitable using this pattern — but with hundreds of thousands of known instances across public GitHub, thousands of repositories may carry the same exposure. As security researcher Adnan Khan noted in the Hacker News discussion of the disclosure: "Maintainers opt into these patterns without guardrails." GitHub changed default behavior for one of these patterns in December 2025, but existing misconfigured workflows require manual remediation and are not automatically protected.

What is new is the attacker. Previous campaigns targeting these vulnerabilities required human operators to manually identify and probe repositories. Hackerbot-claw demonstrates that an AI agent can autonomously cycle through the full attack chain — scanning repositories, identifying vulnerable workflow configurations, selecting from a documented exploit library, delivering a payload, and exfiltrating credentials — without human direction at each step. In one case, the bot also attempted to manipulate a separate AI code reviewer by modifying a project configuration file, an AI-attacks-AI escalation with no prior public precedent.

This campaign did not occur in isolation. A separate incident disclosed by Snyk in February 2026 — dubbed "Clinejection" — showed attackers injecting hidden commands into GitHub issue titles to trick an AI-powered coding tool into poisoning a software release pipeline, briefly exposing a malicious package to potentially 5 million users. The Snyk research team described the technique as "the next evolution of C2" — command-and-control infrastructure, the method attackers historically use to remotely direct compromised systems. If these attack patterns can be automated at this level of sophistication today, the frequency and scale of similar campaigns is likely to increase.