{ "Event": { "analysis": "1", "date": "2026-03-01", "extends_uuid": "", "info": "[Threat Intel] An AI-Powered Bot Actively Exploiting GitHub Actions - Microsoft, DataDog, and CNCF Projects Hit So Far", "protected": false, "publish_timestamp": "1772824066", "published": true, "threat_level_id": "2", "timestamp": "1772824066", "uuid": "dfa668b6-c364-4d9f-af52-d94a2f77f4b3", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#8e8779", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Container Orchestration Job - T1053.007\"", "relationship_type": "" }, { "colour": "#201172", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Compromise Software Dependencies and Development Tools - T1195.001\"", "relationship_type": "" }, { "colour": "#9feaf0", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exploit Public-Facing Application - T1190\"", "relationship_type": "" }, { "colour": "#f95f85", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Credentials In Files - T1552.001\"", "relationship_type": "" }, { "colour": "#7628f7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Unix Shell - T1059.004\"", "relationship_type": "" }, { "colour": "#e43954", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Disable or Modify Tools - T1562.001\"", "relationship_type": "" }, { "colour": "#59699c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Valid Accounts - T1078\"", "relationship_type": "" }, { "colour": "#37ffb5", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Network Denial of Service - T1498\"", "relationship_type": "" }, { "colour": "#e1e63b", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"DLL Side-Loading - T1574.002\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#130049", "local": false, "name": "rectifyq:sub-category=\"campaign-analysis\"", "relationship_type": "" }, { "colour": "#18005c", "local": false, "name": "rectifyq:topic=\"ai\"", "relationship_type": "" }, { "colour": "#18005e", "local": false, "name": "rectifyq:topic=\"supply-chain\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:online-service=\"3b16bb5a-eb4f-4603-a909-bebc5df4a46d\"", "relationship_type": "" }, { "colour": "#1a0065", "local": false, "name": "rectifyq:topic=\"crypto-related\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772593236", "to_ids": false, "type": "link", "uuid": "63a86092-011d-4aa1-a093-502ad83c5831", "value": "https://www.stepsecurity.io/blog/hackerbot-claw-github-actions-exploitation", "Tag": [ { "colour": "#770040", "local": true, "name": "workflow:todo=\"create-missing-misp-galaxy\"", "relationship_type": "" } ] }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1772593236", "to_ids": false, "type": "text", "uuid": "d2693117-ba9f-45a4-ad62-fdf920e01c4d", "value": "A week-long automated attack campaign targeted CI/CD pipelines across major open source repositories, achieving remote code execution in multiple targets. The attacker, an autonomous bot called hackerbot-claw, used five different exploitation techniques and successfully exfiltrated a GitHub token with write permissions from one of the most popular repositories on GitHub. The campaign targeted repositories belonging to Microsoft, DataDog, CNCF, and other popular open source projects. The attacks included token theft via poisoned Go scripts, direct script injection, branch name injection, filename injection, and AI prompt injection. The most severe attack resulted in a full repository compromise of Aqua Security's Trivy project. The campaign highlights the growing threat of AI-powered bots targeting software supply chains and the need for automated security controls in CI/CD pipelines." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1772593236", "to_ids": false, "type": "text", "uuid": "307160c8-99c2-47c8-89aa-f636b4b2651e", "value": "Name: An AI-Powered Bot Actively Exploiting GitHub Actions - Microsoft, DataDog, and CNCF Projects Hit So Far\nAuthor: AlienVault\nAdversary: hackerbot-claw\nTags: [\"ci/cd\", \"autonomous bot\", \"supply chain attack\", \"github actions\", \"open source\", \"token theft\", \"remote code execution\"]\nTgtd countries: []\nMlwr families: []\nAttack_ids: [\"T1053.007\", \"T1195.001\", \"T1190\", \"T1552.001\", \"T1059.004\", \"T1562.001\", \"T1078\", \"T1498\", \"T1574.002\"]\nIndustries: []" }, { "category": "Attribution", "comment": "Adversary", "deleted": false, "disable_correlation": false, "timestamp": "1772593236", "to_ids": false, "type": "threat-actor", "uuid": "2cf347a8-f651-4a10-9660-ddd72e1b3bef", "value": "hackerbot-claw" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772813902", "to_ids": true, "type": "url", "uuid": "e0e4b94f-2772-4464-953d-4551fadbaf5e", "value": "http://hackmoltrepeat.com/molt", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772813925", "to_ids": true, "type": "url", "uuid": "500e88da-4980-4cd1-bad6-6401d8be03ab", "value": "https://hackmoltrepeat.com/molt", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772813946", "to_ids": true, "type": "url", "uuid": "530338fb-185b-40a4-8547-46cf5928b3dd", "value": "https://hackmoltrepeat.com/moult", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Data exfiltration", "deleted": false, "disable_correlation": false, "timestamp": "1772813968", "to_ids": true, "type": "url", "uuid": "1b764a7f-430d-4c9d-832f-db3f8572999e", "value": "https://recv.hackmoltrepeat.com/", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Payload hosting", "deleted": false, "disable_correlation": false, "timestamp": "1772813989", "to_ids": true, "type": "domain", "uuid": "514777cd-97ad-471c-88d6-7eec51c7e933", "value": "hackmoltrepeat.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Data exfiltration", "deleted": false, "disable_correlation": false, "timestamp": "1772814012", "to_ids": true, "type": "hostname", "uuid": "faae7ff7-975b-455d-86c8-9542363b045c", "value": "recv.hackmoltrepeat.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Financial fraud", "comment": "Crypto wallets (listed on bot's profile)", "deleted": false, "disable_correlation": false, "timestamp": "1772805712", "to_ids": true, "type": "btc", "uuid": "2a0d354a-82d3-4b27-9a4b-3d7d2db7d0f2", "value": "bc1q49rr8zal9g3j4n59nm6sf30930e69862qq6f6u" } ], "Object": [ { "comment": "", "deleted": false, "description": "An address used in a cryptocurrency", "meta-category": "financial", "name": "coin-address", "template_uuid": "d0e6997e-78da-4815-a6a1-cfc1c1cb8a46", "template_version": "7", "timestamp": "1772805790", "uuid": "1d787408-1cbb-4080-813f-23a112417e06", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "address-crypto", "timestamp": "1772805790", "to_ids": false, "type": "text", "uuid": "88ddf00e-a998-464f-b297-64686fdd4de0", "value": "0x6BAFc2A022087642475A5A6639334e8a6A0b689a" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "symbol", "timestamp": "1772805790", "to_ids": false, "type": "text", "uuid": "9d4043aa-e503-487a-b345-dba779b8ac86", "value": "ETH" } ] } ] } }