We analyzed an autonomous bot (hackerbot-claw) that's actively scanning GitHub repos for exploitable Actions workflows. It hit Microsoft, DataDog, a CNCF project, and awesome-go (140k stars) achieving RCE in 4 out of 5 targets and exfiltrating a GITHUB_TOKEN. Full breakdown of the 5 attack techniques with evidence.
The root cause is workflows that grant trust to untrusted inputs: pull_request_target that checks out and executes fork code with repo secrets, ${{ }} expressions that interpolate branch names/filenames into shell commands unsanitized, and issue_comment triggers with no author_association check.
These attacks only work when maintainers opt into dangerous patterns without guardrails.
We analyzed an autonomous bot (hackerbot-claw) that's actively scanning GitHub repos for exploitable Actions workflows. It hit Microsoft, DataDog, a CNCF project, and awesome-go (140k stars) achieving RCE in 4 out of 5 targets and exfiltrating a GITHUB_TOKEN. Full breakdown of the 5 attack techniques with evidence.
safe to say the root cause is bad PRs (untrusted)?
The root cause is workflows that grant trust to untrusted inputs: pull_request_target that checks out and executes fork code with repo secrets, ${{ }} expressions that interpolate branch names/filenames into shell commands unsanitized, and issue_comment triggers with no author_association check.
These attacks only work when maintainers opt into dangerous patterns without guardrails.