How an Autonomous Bot Exploited GitHub Actions for 9 Days — And How to Harden Your Workflows

Between February 21 and March 1, 2026, an autonomous bot called hackerbot-claw ran a nine-day campaign against public GitHub repositories. It forked 5 repos, opened 12 pull requests, and successfully exfiltrated a GitHub write-token from one of the most-starred repositories on the platform. In at least one case — CNCF's Trivy project — it cleared its own evidence after the fact. Confirmed targets: Microsoft, DataDog, CNCF (Trivy), avelino/awesome-go, project-akri/akri. The techniques used are not new. Every single one has been documented by security researchers for years. What is new is a bot that automated them, ran them at scale across dozens of high-profile repos, and did so without triggering a single alert until the campaign was over. If you maintain any public GitHub repository with GitHub Actions workflows, this is worth a few hours of your time today. The Entry Point: pull_request_target The root of almost every technique in this campaign is pull_request_target — a GitHub Actio