Table of contents

Executive summary

  • HackerBot-Claw is an emerging automated campaign that systematically scans public repositories for misconfigured GitHub Actions workflows and weaponizes them to gain privileged access.
  • By exploiting insecure CI/CD configurations – especially workflows that grant elevated tokens on pull request triggers – the campaign can seize repository control.
  • We’ve previously discussed the security risks inherent in GitHub Actions and demonstrated how misconfigurations can be leveraged to simulate significant real-world breaches.

Introduction

On February 27-28, 2026, multiple high-profile open-source projects were impacted by a coordinated GitHub repository compromise campaign. The activity was later attributed to “HackerBot-Claw”, an automated operation exploiting misconfigured GitHub Actions workflows to achieve remote code execution and privileged token theft across CI/CD pipelines.

A screenshot of a message from the hackerbot-claw

February 20, 2026: 

  • GitHub account hackerbot-claw created.

February 21-28, 2026: 

  • Automated campaigns begins

February 27, 2026: 

February 28, 2026:

March 2, 2026: 

Why GitHub Actions Are a New Frontier for Attackers

GitHub Actions has become a default CI/CD platform for modern development, enabling automation of builds, tests, deployments, and security scanning. Yet these workflows, when misconfigured, can grant automation engines unintended privileges, turning trusted automation into a weaponized attack surface.

On Sep 30, 2025, we published research demonstrating how we had exploited GitHub Actions vulnerabilities across thousands of repositories, including projects maintained by Fortune 500 companies such as Microsoft, Google and NVIDIA.

In an earlier blog post published on Sep 24, 2025, we also provided a detailed technical analysis of so-called “pwn request” vulnerabilities and how they enable CI workflow exploitation and the theft of privileged identities.

name: Dangerous PR runner
on:
  pull_request_target:

jobs:
  run-pr-code:
    runs-on: ubuntu-latest
    permissions:
      contents: write
      pull-requests: write
    steps:
      - uses: actions/checkout@v4
        with:
          ref: ${{ github.event.pull_request.head.sha }}
      - name: Run script
        run: |
         scripts/run.sh

What Happened?

HackerBot-Claw is an automated campaign that scans public repositories for vulnerable GitHub Actions workflows, particularly those using pull_request_target with elevated permissions. Once identified, the attacker opens pull requests crafted to trigger CI execution, enabling arbitrary code execution or exposure of privileged tokens.

What Is the Impact?

In several cases, the exposed tokens were used to perform destructive or unauthorized API actions, including token exfiltration, direct commit pushes, release deletions, advisory creation, and repository manipulation. In the most severe instance, this escalation led to full repository takeover and disruption of downstream distribution channels.

How HackerBot-Claw Works (Attack Chain)

At a high level, the automation follows the pattern below:

Scan for Vulnerable CI Workflows

HackerBot-Claw inspects .github/workflows/*.yml across public repositories for patterns such as:

  • pull_request_target triggers
  • excessive token permissions
  • untrusted checkouts
  • reuse of privileged secrets

These patterns indicate workflows where untrusted input may be executed with write privileges.

Trigger CI to Leak Privileged Tokens

Once a vulnerable workflow is found, the agent automatically generates a pull request to trigger the CI pipeline. If the workflow runs with write access (e.g., via GITHUB_TOKEN or a stored PAT), it may expose credentials or perform actions using elevated rights. In Trivy’s case, a misconfigured workflow allowed an attacker to obtain a privileged GitHub Personal Access Token (PAT) through such automation.

Abuse Token for Repository Control

With the compromised token, the attacker can interact directly with GitHub’s API, doing things like:

  • deleting GitHub releases and associated assets
  • renaming the repository
  • publishing malicious artifacts (e.g., a fake VSCode extension)

This pattern reflects a CI privilege escalation attack rather than a code injection.

Known Impacted Repositories

The HackerBot-Claw campaign systematically scanned public GitHub repositories for exploitable CI workflows and triggered automation to achieve remote code execution or token exfiltration. The following repositories were explicitly referenced as targets in the StepSecurity analysis:

Broader Context: CI Exploitation Is Not an Outlier

The risk of GitHub Actions abuse extends beyond HackerBot-Claw. In 2025, a supply chain attack against the tj-actions/changed-files action, which is used in over 23,000 workflows. This resulted in secrets being leaked via workflow logs when malicious code was introduced into the Action’s codebase.

These incidents illustrate two key trends:

  1. CI/CD systems increasingly carry sensitive credentials and operational privileges
  2. Attackers can exploit automation logic to harvest, misuse, or destroy key software artifacts

Mitigation Recommendations

To harden CI/CD environments and mitigate automated exploitation campaigns like HackerBot-Claw, organizations can review and implement the defensive controls outlined in our prior research on pull request exploitation patterns.

That guidance covers secure workflow design, safe handling of pull_request_target, strict token scoping, input sanitization, and preventing untrusted code from executing with elevated permissions.

In addition, if you are using any of the repositories or tools impacted in this campaign, closely follow the official advisories and remediation guidance published by their maintainers. Apply recommended updates, rotate credentials where advised, and verify that your CI workflows are running the latest patched configurations.

How Can Orca Help?

The Orca Cloud Security Platform secures your entire software development lifecycle from pre-deployment through runtime. Orca’s comprehensive Application Security capabilities enable organizations to: 

  • Audit repositories and workflows for misconfigurations: Orca continuously scans SCM platforms like GitHub for overly permissive tokens, outdated workflows, and missing security guardrails. This helps ensure legacy repositories and pipelines are brought up to least-privilege standards. 
  • Detect and prevent secret exposure: Orca provides comprehensive and advanced Secret Detection capabilities that integrate with your SCM repositories, scan every push or pull request for secrets, and provide flexible guardrails that can prevent secrets from being exposed. 
  • Set policy guardrails that block unsafe deployments: Orca enforces policies across the development pipeline to ensure that misconfigurations, vulnerabilities, and secrets are caught early and never reach production. 
  • Connect cloud to development: Orca’s Cloud-to-Dev capabilities enable you to trace cloud risks to their origins in source code and remediate issues at their source.

To learn more or see the Orca Platform in action, schedule a personalized 1:1 demo

Table of contents