Hackerbot-Claw: Adversarial Agent Targets Top GitHub Repos

Between February 20 and 28, 2026, an autonomous or semi-autonomous GitHub account named hackerbot-claw executed a systematic attack campaign against the CI/CD pipelines of six major open-source projects, deploying seven distinct exploitation techniques across 14 pull requests and two malicious extension releases in approximately 37 hours of active operations.

Confirmed outcomes: code execution in three repositories (aquasecurity/trivy, avelino/awesome-go, project-akri/akri); exfiltration of a write-scoped GITHUB_TOKEN from avelino/awesome-go; and full repository compromise of aquasecurity/trivy (32k stars): direct commits to main, deletion of 97 GitHub Releases, and a malicious VSCode extension pushed to the OpenVSX marketplace (v1.8.12, CVE-2026-28353, subsequently removed). The extension contained embedded AI agent weaponization code that spawned five AI coding assistants in permissive mode to harvest credentials and system data from developer machines.

Two additional targets (microsoft/ai-discovery-agent, DataDog/datadog-iac-scanner) had injection points reached but execution is unconfirmed. The sole defensive success was Claude Code detecting and refusing prompt injection in ambient-code/platform.

An AI-augmented agent autonomously discovered, verified, and exploited CI/CD vulnerabilities across multiple organizations within a single operational window.