ACCORDING to StepSecurity, hackerbot-claw ran a week-long automated campaign targeting CI/CD pipelines in major open source repositories, achieving remote code execution in at least 4 of 5 targets and exfiltrating a GitHub token with write permissions from a popular repository. Between 21 February and 28 February 2026, the autonomous bot scanned public repositories for exploitable GitHub Actions workflows, forking 5 repositories and opening 12 pull requests across 4 targets.
The attacks used five different techniques, including token theft via a poisoned Go script in a PR quality checks workflow and direct script injections, branch name injection, filename injection, and AI prompt injection, with payloads such as curl commands to hackmoltrepeat[.]com. Notably, DataDog deployed emergency fixes within nine hours, and Claude Code detected and refused an AI prompt injection in ambient-code/platform, halting that attack.
The campaign demonstrated that several misconfigurations—such as pull_request_target with untrusted checkout and unsanitised expressions in shell contexts—were exploited across multiple projects, resulting in confirmed or likely RCE and token exposure.