hackerbot-claw, an autonomous bot powered by Claude Opus 4.5, scanned 47,000 public repos for vulnerable GitHub Actions workflows, picked 6 targets and got RCE in 4 of them.

Five attack techniques. Four well-known: poisoned Go init(), branch name injection, base64-encoded filenames, unauthenticated comment triggers. All documented in the GitHub security guide since 2021.

One new: AI prompt injection via a poisoned CLAUDE.md to trick an AI code reviewer into committing malicious code and posting a fake approval.

My take:

  1. It's just the first taste of what autonomous AI attacks will look like. It's a good time to refine your threat model and have a reality check on what you're protecting against.
  2. Bravo to Claude who caught a poisoned CLAUDE.md and refused malicious instructions. Still, pin AI config files (CLAUDE.md, .cursorrules) to the base branch. Never load them from fork PRs.
  3. awesome-go has 140k stars and feeds thousands of company dependency lists. It's another signal of the risk we take by adding OSS components maintained by volunteers with no security budget and known vulns sitting unfixed for years into the enterprise critical infrastructure stack.

Great analysis from StepSecurity: HackerBot-Claw: GitHub Actions Exploitation

hackerbot-claw GitHub repository

How the attack works: scan vulnerable workflows, fork repo, open innocent-looking PR, trigger workflow for code execution, steal secrets and access tokens