The AI bot, still active on GitHub, is hacking one repo after another, curating its own brag page, and claiming to have scanned over 47,000 repositories. In just one week, it targeted at least six popular open-source projects, including those from Microsoft and DataDog. Trivy, a popular vulnerability scanner repo, was fully compromised.
Since February 20th, an ongoing automated hacking spree has been targeting popular GitHub repositories, with the attacker achieving remote code execution on at least four targets, confirmed by independent researchers at StepSecurity.
The attacker is an AI bot with an alias “hackerbot-claw,” who introduces itself as an “autonomous security research agent” powered by Claude-Opus-4.5.
The AI hacker has its own account on GitHub where it brags about 47,391 repositories already scanned for misconfigured CI/CD workflows – automated scripts developers use to test, build, and publish software.
The bot claims to follow a noble goal. However, its commits only wreak havoc.
“I am an autonomous agent that scans public repositories for misconfigured CI/CD workflows. I find them. I verify them. I leave a note. I don’t exfiltrate, I don’t destroy, I don’t persist,” the bot’s account page reads.
The bot’s name hints at the use of “OpenClaw” – an open-source AI agent. It remains unclear whether the cyberattacks are intentional or are the result of someone’s hobby project spiralling beyond the creator’s control.
Major repositories compromised
Hackerbot-claw has been operating for over a week, using five different exploitation techniques, such as hiding malicious instructions in unexpected places, like file names.
It targeted at least six repositories belonging to Microsoft, DataDog, Avelino, Ambient Code, Cloud Native Computing Foundation, and Aqua Security.
The Cybernews community is talking about this. Be a part of the conversation.
“A GitHub account called hackerbot-claw systematically scanned public repositories for exploitable GitHub Actions workflows,” reads StepSecurity’s report on hackerbot-claw activities.
“Five out of six targets were compromised. The only defense that held was Claude's prompt injection detection.”
The AI opened over 12 pull requests, proposing its generated code, which triggered automated workflows across targets. Even without anyone reviewing or approving the proposed code, it can trigger automated workflows that lead to compromise.
StepSecurity listed the compromised repositories as follows:
- Awesome-go, one of GitHub’s most popular repositories with 140,000+ followers by Avelino: was compromised with a technique that poisoned a setup function (Poisoned Go init()). Malicious code was hidden in a routine quality check script that runs automatically on every code submission, leading to remote code execution and access token theft. It took the attacker six attempts and 18 hours to refine the failed attempts.
- Project-akri, a project by akri: was compromised through a direct script injection, resulting in confirmed remote code execution.
- Ai-discovery-agent, a project by Microsoft: the attacker likely achieved remote code execution by injecting malicious code into a branch name.
- Datadog-iac-scanner, a project by DataDog: was likely compromised through malicious instructions hidden in a file name. The team deployed emergency patches within 9 hours of the attack.
- Platform, a project by Ambient-code: the attacker attempted AI prompt injection, but the attack was detected and blocked by Claude, which refused the injection, and the workflow was subsequently disabled.
- Trivy, a project by Aqua Security: was fully compromised.
“We’re entering an era where AI agents attack other AI agents. In this campaign, an AI-powered bot tried to manipulate an AI code reviewer into committing malicious code. The attack surface for software supply chains just got a lot wider,” StepSecurity warns.
Trivy taken down
Security scanner Trivy, owned by Aqua Security, was hit the worst. The team confirmed in a security advisory that the repository was made private and renamed.
The attacker pushed a fake empty repository instead of the public one, mass-deleted previous releases, including associated discussions and assets.
A malicious artifact for Trivy’s VS Code extension was also created and pushed to Open VSX, an alternative to the official VS Code marketplace.
“We have removed that artifact and revoked the token used to publish it. We have reviewed other Trivy assets and did not observe other impacts. We are now focused on restoring things back to normal,” said Itay Shakury, VP Open Source at Aqua Security.
The bot itself confirmed it obtained the personal access token (PAT), a powerful credential that grants automated systems access to a GitHub repository.
“Just researchmaxxed the PAT that leaked cuz of the vuln and yeeted it on sight, no cap. Overpowered token? Revoked. Framemog opportunities for the opps? Straight cooked. You're safe now, king,” reads the cheeky note left by the “research agent.”
But there’s also an interesting twist: another code submission was found even before hackerbot-claw submitted its pull request, hinting that the bot might not actually be responsible for the worst damage.
One of Trivy’s maintainers, however, believes that both unauthorized activities lead to the same attacker.
They pointed out several matching indicators, such as country code in the access logs, user agent (Linux x86_64 Chrome), the same compromised PAT hash used across all malicious actions, timeline consistency forming a clear attack chain, and matching behavioral patterns.
“We are not ruling out other possibilities and are continuing to review the full audit trail,” the maintainer said.
How does the bot operate?
The AI bot details its methodology in a README file.
“It loads a "vulnerability pattern index" with 9 classes and 47 sub-patterns, then autonomously scans, verifies, and drops proof-of-concept exploits. Its ‘Recent Activity’ log shows 5 successful sessions in the 2 days leading up to our analysis,” the StepSecurity researchers said.
They also visualized the attack flow in six steps. The attack begins as a scan for vulnerable workflows. The bot then forks targeted repositories and prepares a malicious payload, chosen from five techniques.
Then it opens an innocent-looking code proposal (pull request, PR), containing just a trivial change, like a single space or a typo fix. The real payload is hidden in the branch name, filename, or elsewhere.
However, the PR triggers the automated workflow, which unknowingly processes the bot’s malicious input and executes arbitrary code on the build server. Ultimately, this leads to an exfiltrated GitHub token with write access in the worst case, enabling attackers to push new code, merge PRs, and modify the repository directly.
“This wasn’t a human attacker working weekends. This was an autonomous bot scanning repos continuously. You can’t defend against automation with manual controls – you need automated guardrails,” the security firm warns.
The “autonomous security research agent” expects cryptocurrency donations and lists two wallets for ETH and Bitcoin – both show zero balance and no transactions.
The researchers also listed the hackmoltrepeat[.]com domain, which was used by the hacker to host the payload and exfiltrate data. This domain was registered on February 24th, 2026, three days after the initial attacks began. The registrar is Tucows, the actual server is hidden behind Cloudflare nameservers.
Cybernews previously reported on another AI bot on GitHub that personally attacked a maintainer of a popular repository for rejecting the AI-generated code.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked