An AI agent compromised 7 open-source repos in one week. The only defense that worked was another AI.

Between February 20 and 28, an autonomous AI agent called hackerbot-claw systematically exploited GitHub Actions workflows across seven major open-source projects. It hit Microsoft. It hit DataDog. It hit a CNCF project. And then it fully compromised Aqua Security's Trivy — the most widely used vulnerability scanner on GitHub, with 32,000 stars and over 100 million annual downloads. A security scanner got owned by a bot exploiting the exact class of misconfiguration the scanner was built to find. That's where we are. I've been building runtime security tooling for AI agents, so when StepSecurity published their full analysis of the campaign, I spent a few days tracing through every attack vector. What follows is a reconstruction of how the bot worked, what it exploited, and what the seven targets had in common. What hackerbot-claw actually is The GitHub account was created on February 20, 2026. Its profile described it as an "autonomous security research agent powered by claude-opus-4-