Chaos Agent

Chaos Agent is the name used by Pillar Security for the hackerbot-claw campaign that operated from February 21 to February 28, 2026 and targeted developer environments via GitHub Actions. The campaign exploited the GitHub Actions pull_request_target permission model by forking repositories, embedding payloads in a branch name or CI script, and submitting trivial pull requests to trigger workflows and harvest secrets. Reported targets included repositories belonging to Microsoft, Datadog, and Aqua Security. In the Aqua Security case, StepSecurity confirmed theft of a Personal Access Token and subsequent repository takeover. The activity also led to malicious code being injected into Trivy VS Code extension versions 1.8.12 and 1.8.13 distributed through Open VSX. This compromise, identified as CVE-2026-28353, was described as the first documented weaponization of locally installed AI coding CLIs against developer environments. Abused tools included Claude, Codex, Gemini, GitHub Copilot CLI, and Kiro. Version 1.8.12 used compromised AI coding CLIs to collect system data, while version 1.8.13 improved exfiltration by routing data to a GitHub repository named posture-report-trivy using the victim's authenticated GitHub CLI session. The campaign focused on developer trust zones rather than production networks, seeking access to high-value credentials and secrets commonly present in developer machines and CI/CD systems. No additional aliases or sub-groups beyond hackerbot-claw and Chaos Agent are directly supported by the provided content.