Raw Record Source

{
  "$type": "site.standard.document",
  "bskyPostRef": {
    "cid": "bafyreiekai77aigcewhwkukexldpjmlxijx2pzaqb4gsziwdgifl4a3ujy",
    "uri": "at://did:plc:i3hyx5sw7cz7ofijrwp4tqua/app.bsky.feed.post/3mg7bi2lmc3a2"
  },
  "coverImage": {
    "$type": "blob",
    "ref": {
      "$link": "bafkreiclq4iwzogdcqowv7nbw6q5mfcxnazint6chi53wnl74sodtq6qvq"
    },
    "mimeType": "image/png",
    "size": 764843
  },
  "description": "overview\n\nIt turns out that automating your workflows also makes it incredibly easy for attackers to automate your demise. An autonomous attack campaign, tracked as \"hackerbot-claw,\" is currently prowling public repositories. Its mission? Finding insecure GitHub Actions workflows and turning them into gateways for arbitrary code execution and credential exfiltration.\n\nThe campaign isn't just a script-kiddie's weekend project; it has successfully compromised several high-profile open-source proje",
  "path": "/en/high-severity-github-actions-exploit-hackerbot-claw-uses-your-ci-cd-as-a-pwn-as-a-service-platform/",
  "publishedAt": "2026-03-04T02:48:44.000Z",
  "site": "https://www.sredevops.org",
  "tags": [
    "OpenSSF OSPS (Open Source Project Security) Baseline",
    "GitHub's official guidance on script injection",
    "OpenSSF: Mitigating attack vectors in GitHub workflows",
    "Wiz.io: GitHub Actions security guide",
    "OpenSSF SCM best practices",
    "GitHub",
    "LinkedIn",
    "@v1"
  ],
  "textContent": "## overview\n\nIt turns out that automating your workflows also makes it incredibly easy for attackers to automate your demise. An autonomous attack campaign, tracked as **\"hackerbot-claw,\"** is currently prowling public repositories. Its mission? Finding insecure GitHub Actions workflows and turning them into gateways for arbitrary code execution and credential exfiltration.\n\nThe campaign isn't just a script-kiddie's weekend project; it has successfully compromised several high-profile open-source projects. By abusing common misconfigurations, the bot effectively turns your CI/CD pipeline against you. If you’ve been treating your `pull_request_target` triggers with the reckless abandon of a developer on their fifth espresso, it’s time to pay attention.\n\nThe Linux Foundation and the OpenSSF are actively triaging the fallout, but the bot works faster than a committee.\n\n## anatomy of the attack\n\nThe \"hackerbot-claw\" bot isn't reinventing the wheel; it’s just using the wheel to run you over. It specifically targets workflows that:\n\n  * Use privileged triggers like `pull_request_target`.\n  * Execute untrusted code from forked pull requests without isolation.\n  * Include inline shell scripts that blindly trust user-controlled inputs.\n  * Lack any form of authorization check before firing off expensive (and dangerous) runners.\n\n\n\n### observed attack patterns\n\n  1. **Direct script injection:** Attackers modify a script within a PR. If the workflow executes that script with repository privileges, the attacker effectively owns the runner.\n  2. **\"Pwn request\" (pull_request_target abuse):** This trigger is the \"God Mode\" of GitHub Actions. When used to check out and run code from a fork, it grants that untrusted code access to secrets and a `GITHUB_TOKEN` with write permissions.\n  3. **Context injection:** Malicious payloads are hidden in branch names, PR titles, or file paths. If your workflow does something like `echo \"Checking out ${{ github.head_ref }}\"`, you might find yourself executing `echo \"Checking out \"; rm -rf / #`.\n\n\n\n### a real-world casualty: project-akri/akri\n\nIn a documented case involving `project-akri/akri`, a malicious PR introduced a shell-injection payload into a script. Because the workflow lacked safeguards, it dutifully executed the attacker's commands, proving once again that computers will do exactly what you tell them to do, even if it's professional suicide.\n\n## recommended mitigations\n\nIf you don't want your repository to become a miner for someone else's cryptocurrency or a pivot point for a supply chain attack, implement these controls immediately.\n\n### 1. harden your workflows\n\nStop using `pull_request_target` unless you absolutely have to. If you must use it, **never** check out the untrusted code from the PR head.\n\n\n    # BAD: This gives the fork's code access to your secrets\n    on: pull_request_target\n    jobs:\n      test:\n        runs-on: ubuntu-latest\n        steps:\n          - uses: actions/checkout@v4\n            with:\n              ref: ${{ github.event.pull_request.head.sha }} # DANGER\n\n\n### 2. enforce least privilege\n\nLimit the `GITHUB_TOKEN` permissions at the top of your workflow file. If a job only needs to read the code, tell it so.\n\n\n    permissions:\n      contents: read\n      pull-requests: read\n\n\n### 3. sanitize inputs like your life depends on it\n\nNever interpolate GitHub context variables directly into shell scripts. Use environment variables instead.\n\n\n    # BAD: Vulnerable to injection\n    run: echo \"Processing branch: ${{ github.head_ref }}\"\n\n    # GOOD: Handled as data, not code\n    run: echo \"Processing branch: $BRANCH_NAME\"\n    env:\n      BRANCH_NAME: ${{ github.head_ref }}\n\n\n### 4. pin your actions\n\nDon't trust tags like `@v1`. Tags can be moved. Use the full length commit SHA to ensure the code you're running is the code you reviewed.\n\n\n    - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0\n\n\n## alignment with the openssf osps baseline\n\nThe ongoing \"hackerbot-claw\" campaign targets the exact gaps addressed by the OpenSSF OSPS (Open Source Project Security) Baseline. Projects that follow these guidelines are significantly harder to compromise.\n\n  * **Least Privilege:** Restrict `GITHUB_TOKEN` and use OIDC for short-lived cloud credentials.\n  * **Protected CI/CD:** Require maintainer approval for all first-time contributors before workflows run.\n  * **Peer Review:** Use `CODEOWNERS` to mandate that any change to `.github/workflows/` is reviewed by a security-conscious human, not just a tired maintainer.\n\n\n\n## further reading & resources\n\n  * GitHub's official guidance on script injection\n  * OpenSSF: Mitigating attack vectors in GitHub workflows\n  * Wiz.io: GitHub Actions security guide\n  * OpenSSF SCM best practices\n\n\n\n* * *\n\n**Source:** Christopher \"CRob\" Robinson, Chief Technology Officer & Chief Security Architect at OpenSSF / The Linux Foundation.\nGitHub | LinkedIn",
  "title": "High severity Github Actions exploit: hackerbot-claw uses your ci/cd as a \"pwn-as-a-service\" platform",
  "updatedAt": "2026-03-04T02:48:47.563Z"
}