An autonomous AI-powered bot called hackerbot-claw systematically exploited GitHub Actions workflows across major open-source projects including Microsoft, DataDog, Aqua Security, and CNCF repositories over 7 days in February 2026. The bot achieved remote code execution in 5 of 7 targets using 5 distinct attack techniques including Pwn Request vulnerabilities, branch name injection, and filename injection. The most severe compromise was Aqua Security's Trivy, where the attacker deleted 178 releases, stripped 32,000+ stars, and pushed a suspicious VSCode extension. The campaign also included the first documented AI-on-AI attack, where the bot attempted prompt injection against Claude Code via a manipulated CLAUDE.md file — which Claude immediately detected. Mitigations include auditing pull_request_target workflows, restricting permissions, and moving context expressions into environment variables.
Sort: