Skip to main content
Mallory
Back to threat actors
1 malware family

hackerbot-claw

Also known ashackerbot-claw

HackerBot-Claw is an autonomous, automated threat actor/campaign active in February 2026 that targeted insecure GitHub Actions workflows in public repositories. The activity focused on CI/CD misconfigurations, especially unsafe use of pull_request_target, execution of untrusted forked pull request code, unsanitized user-controlled inputs such as branch names and filenames, dynamic shell execution, direct interpolation in run blocks, missing authorization checks, and overprivileged GITHUB_TOKEN permissions. Multiple sources describe the campaign as scanning public repositories at scale and generating malicious pull requests to trigger vulnerable workflows. Observed targets included high-profile open source and software ecosystem repositories and organizations, including Microsoft, Datadog, CNCF projects, Aqua Security’s Trivy, project-akri/akri, and avelino/awesome-go. The campaign is described as having achieved remote code execution on GitHub-hosted runners in multiple cases, with at least 4 of 5 targets compromised in one account and at least six repositories successfully exploited in another. In the most severe reported case, Aqua Security’s Trivy repository was fully compromised, leading to a downstream supply-chain attack that exposed 33,000 secrets across nearly 7,000 machines. The campaign used five exploitation techniques: poisoned Go init() functions, branch-name command injection, filename-based injection, direct script injection, and AI prompt injection against Claude-based code reviewers. Reporting also describes “Pwn Request” abuse, where pull_request_target workflows checked out and executed attacker-controlled fork code with base-repository privileges. In one documented example against awesome-go, the actor modified a Go script to exfiltrate the GITHUB_TOKEN and downloaded a second-stage payload from hackmoltrepeat.com/molt; stolen credentials were exfiltrated to recv.hackmoltrepeat.com. Reported outcomes included exfiltration of GITHUB_TOKENs and Personal Access Tokens with write permissions, unauthorized pushes, deletion of releases, workflow modification, and broader supply-chain compromise. The actor is also described as attempting AI prompt injection by poisoning files such as CLAUDE.md or config content intended for Claude-based reviewers. One mention states Claude detected and refused a prompt-injection attempt. The campaign has been characterized as AI-powered and autonomous, with continuous scanning, automated exploitation, and public logging of recent activity via the actor’s own GitHub profile workflow. The GitHub account associated with hackerbot-claw was reportedly suspended. Known alias: hackerbot_claw.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

  • Software & Services
MITRE ATT&CK

Tradecraft

20 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

9 of 15 tactics25 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0043
Reconnaissance
1 technique
T1593
Search Open Websites/Domains
TA0001
Initial Access
3 techniques
T1078×3
Valid Accounts
T1190
Exploit Public-Facing Application
T1195×6
Supply Chain Compromise
T1195.001
Compromise Software Dependencies and Development Tools
T1195.002×2
Compromise Software Supply Chain
TA0002
Execution
1 technique
T1059×3
Command and Scripting Interpreter
T1059.004
Unix Shell
TA0003
Persistence
1 technique
T1078×3
Valid Accounts
TA0004
Privilege Escalation
1 technique
T1078×3
Valid Accounts
TA0005
Stealth
2 techniques
T1070
Indicator Removal
T1070.004
File Deletion
T1078×3
Valid Accounts
TA0006
Credential Access
6 techniques
T1003
OS Credential Dumping
T1212×3
Exploitation for Credential Access
T1528×6
Steal Application Access Token
T1552
Unsecured Credentials
T1555
Credentials from Password Stores
T1649×2
Steal or Forge Authentication Certificates
TA0011
Command and Control
2 techniques
T1071
Application Layer Protocol
T1071.001
Web Protocols
T1105
Ingress Tool Transfer
TA0010
Exfiltration
2 techniques
T1041
Exfiltration Over C2 Channel
T1567
Exfiltration Over Web Service
T1567.001
Exfiltration to Code Repository
ARSENAL

Associated malware families

1 malware family attributed to this actor across reporting.

FamilyContextEvidenceLast seen
TrivyOn March 19, 2026, aquasecurity/trivy-action — a widely used GitHub Action for running the Trivy vulnerability scanner — was compromised for approximately 12 hours... a malicious trivy binary release (v0.69.4) was published for approximately 3 hours.1May 2, 2026
IOCS

Observables

82 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

82 IOCsView more in app

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

10 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

10 SOURCESView more in app
the hacker newsNews
Jun 4, 2026
Claude Code GitHub Action Flaw Let One Malicious Issue Hijack Repositories

An autonomous bot used to probe GitHub Actions misconfigurations and attempt prompt-injection attacks against Claude-based workflows.

Read more
elastic security labsNews
Apr 29, 2026
CI/CD pipeline abuse: the problem no one is watching - Elastic Security Labs

Automated exploitation campaign targeting GitHub Actions pull_request_target misconfigurations in public repositories, enabling repository compromise and downstream supply chain attacks.

Read more
ramimac blogNews
Apr 4, 2026
prt-scan: AI-Powered GitHub Actions Supply Chain Attack | Wiz Blog

Referenced as an AI-powered CI/CD attacker known for using five different exploitation methods across seven successful high-profile attacks.

Read more
cloudsek blogNews
Apr 1, 2026
The Scanner Was the Weapon: 36 Months of Precision Supply Chain Attacks Against DevSecOps Infrastructure | CloudSEK

Compromised Trivy-related GitHub Actions and release automation by abusing pull_request_target to extract a privileged token, then enabling tag poisoning, binary backdooring, credential theft, and resilient exfiltration/C2 including ICP blockchain infrastructure.

Read more
+5 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping20

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal1

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables82

Domains, IPs, and hashes tied to this actor, refreshed continuously.