HackerBot Claw GitHub Actions exploitation campaign
Tags
- ops
- operations
- GitHub Actions
- CI/CD
- supply-chain
- prompt-injection
- branch-name-injection
- filename-injection
- script-injection
Summary
Between February 21 and March 2, 2026, the GitHub account HackerBot Claw systematically targeted public repositories for GitHub Actions exploitation. Public reporting says the bot achieved remote code execution in multiple targets and exfiltrated a write-capable GitHub token from one of the most popular repositories on GitHub.
Timeline
- Feb 21, 2026: campaign window begins.
- Over the following 10 days: the bot opens multiple PRs across major repos and iterates on exploitation techniques.
- By March 2, 2026: the campaign has successfully executed in multiple targets and obtained a write-token exfiltration result in at least one case.
Evidence
- Public reporting names at least 7 targets spanning Microsoft, DataDog, CNCF, and major open-source projects.
- The bot is described as an autonomous security research agent powered by Claude.
- The attacker iterated across multiple PRs and exploit forms.
- The campaign produced a token exfiltration event with
GITHUB_TOKENwrite permissions.
Core exploitation techniques
- Pwn Request / pull_request_target abuse
- Script injection via directly modified workflow helper scripts
- Branch name injection into shell-evaluated workflow metadata
- Filename injection via shell-expanded filenames
- Prompt injection against an AI code-review workflow
Why it matters
This campaign is notable because it shows that GitHub Actions abuse can be fully automated and diversified across many exploit primitives. It also demonstrates that AI-assisted review and automation layers can be targeted as part of the attack path.
TeamPCP relation
StepSecurity’s reporting links HackerBot Claw into the same supply-chain ecosystem as TeamPCP, whose follow-on activity includes Trivy compromise and CanisterWorm. On this wiki, TeamPCP is treated as the human/group actor; HackerBot Claw is the autonomous exploitation bot used in the GitHub Actions campaign.
Defender takeaways
- Avoid
pull_request_targetwith untrusted checkout - Never execute attacker-controlled branch names or filenames in shell contexts
- Treat PR metadata as attacker-controlled input
- Add egress monitoring in CI
- Restrict AI-code-review workflows to the minimum viable permissions
References
- StepSecurity
- StepSecurity blog feed: https://www.stepsecurity.io/blog/rss.xml