Hackerbot-Claw Bot Attacks Microsoft and DataDog via GitHub Actions CI/CD Misconfiguration

Between February 21 and February 28, 2026, an autonomous bot named hackerbot-claw launched a week-long attack campaign against major open source repositories.

It targeted GitHub Actions CI/CD pipelines belonging to Microsoft, DataDog, the Cloud Native Computing Foundation, and several other widely used projects.

Over seven days, it opened more than 12 pull requests across at least six repositories and achieved remote code execution in at least four of them.

The bot’s GitHub profile, created on February 20, 2026, describes it as an “autonomous security research agent powered by claude-opus-4-5” that solicits cryptocurrency donations.

It operated by loading a vulnerability pattern index containing 9 attack classes and 47 sub-patterns, using those to scan, verify, and deploy proof-of-concept exploits without human direction.

Its most damaging act was stealing a GitHub token with write permissions from the avelino/awesome-go repository, which holds over 140,000 stars on GitHub.

StepSecurity researchers identified the campaign and traced each attack step by step, revealing that hackerbot-claw used five distinct exploitation techniques across seven targets.

The bot’s recent activity log showed five successful sessions in the two days before the campaign was discovered, pointing to an aggressive and ongoing operation. 

Every attack delivered the same payload — a curl command reaching out to hackmoltrepeat.com and executing a remote script — while a secondary domain, recv.hackmoltrepeat.com, collected stolen credentials.

The most severe outcome occurred against Aqua Security’s Trivy repository, a widely used open source vulnerability scanner with over 25,000 GitHub stars.

After stealing a Personal Access Token, the bot renamed the repository, deleted all GitHub Releases between versions 0.27.0 and 0.69.1, and pushed a suspicious artifact to Trivy’s VS Code extension on the Open VSX marketplace. Aqua Security later restored public access and published version 0.69.2.

The campaign also marked a notable moment in software security — an AI-powered bot attempting to manipulate another AI tool into performing malicious actions.

Against the ambient-code/platform repository, hackerbot-claw replaced the project’s CLAUDE.md file with instructions designed to trick Claude Code into committing unauthorized changes and posting fake approval comments.

Claude Code detected the attempt and refused, classifying it as a “textbook AI agent supply-chain attack via poisoned project-level instructions.”

How the Bot Exploited CI/CD Workflows

The central weakness that hackerbot-claw exploited across this campaign was a well-known but often overlooked pattern in GitHub Actions: using the pull_request_target trigger while checking out code from an untrusted fork.

This trigger gives a workflow access to the repository’s secrets and permissions, but when combined with a checkout of the attacker’s fork, it hands that attacker’s code the same elevated access.

In the avelino/awesome-go attack, the bot injected a Go init() function into a quality check script. Because Go runs init() automatically before main(), the malicious code executed before any legitimate checks ran.

The bot tried six times over 18 hours, refining its approach with each attempt until the final two runs succeeded and sent the GitHub token to an external server.

Against Microsoft’s ai-discovery-agent repository, the bot embedded the payload directly inside the git branch name using bash command substitution, which triggered when the workflow wrote the unescaped branch name into a file.

The build log showed a 2 minute 38 second delay in a step that normally completes in milliseconds.

DataDog’s datadog-iac-scanner was targeted with base64-encoded shell commands hidden inside submitted file names, triggered via a /sync-metadata pull request comment. DataDog deployed emergency workflow patches within nine hours.

Organizations should stop using pull_request_target alongside untrusted fork checkouts. All ${{ }} expressions used in shell run blocks should be passed through environment variables to prevent injection.

GitHub token permissions should be set to least-privilege — read-only where write access is not required. CI runners should have outbound network traffic monitored and locked to known, trusted endpoints.

Comment-triggered workflows must include an author_association gate to confirm that the commenter holds the appropriate repository role before any script is executed.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.