A very unique cybercriminal has recently made headlines after causing mayhem on GitHub. Hackerbot-Claw is not like any other cybercriminal; it is an AI bot that claims to exist for noble purposes, such as detecting errors in open-source code and fixing them. Unfortunately, Hackerbot-Claw does not appear to match its own description, as it has instead been causing major problems by hijacking various repositories and attempting to distribute malicious code in multiple ways. All of this is reportedly the work of an autonomous AI bot.
About Hackerbot-Claw
Cybernews reports that bot has been active on GitHub since February 20th. Since then the bot was on a spree, wrecking havoc, reportedly scanning over 47 thousand GitHub reposetories. As the cybernews report suggests, Hackerbot-Claw's name suggests that is based on OpenClaw, an open source AI agent. Despite Hackerbot-Claw presenting itself as a nobel creation, that "scans public repositories for misconfigured CI/CD, verifies them and leaves a note without impact", the reality is that it's actions where very different.
Hackerbot-Claw's GitHub Spree
Operating for over a week, the bot has targeted thousands of GitHub repositories, including those belonging to major corporations such as Microsoft. After pulling repositories, it scanned them, identified flaws, and then proceeded to compromise them, using on of 5 or so methods for each target. Awesome-go, a massive repository, was compromised through a technique known as function poisoning. Malicious code was injected to run daily, leading to remote code execution and the theft of access tokens. Reports indicate the bot made multiple attempts over many hours before finally succeeding.
Another incident involved Microsoft’s AI-discovery-agent repository, which was compromised through malicious code injected into a branch name, enabling remote code execution. According to Cybernews, numerous other repositories were affected using a wide range of techniques, with some only partially compromised while others suffered significant damage.
Ironically, the bot’s largest victim was a security scanning tool called Trivy, developed by Aqua Security. A company developer confirmed the attack in a GitHub post. The developer, using the name “Ïtaysk,” reported that one of their main repositories had been made private and renamed, with an empty repository left in its place. Several GitHub releases were also deleted. Most concerning was the discovery of a malicious artifact created for one of Trivy’s extensions, which had been pushed to the VSX marketplace.
Hijacking GitHub Repositories
StepSecurity published a detailed report explaining how the bot actually operates. It began by scanning repositories for small typos and vulnerabilities. Upon detecting one, the bot would fork the targeted repository to prepare a malicious payload, typically using one of five primary techniques it relied on.
After preparation, the bot submitted an innocent-looking commit to unsuspecting repositories, usually appearing as a minor fix such as correcting a typo. Although malicious code was not injected directly through this commit, the bot concealed a malicious branch with a similar name. It then triggered malicious activity on build servers responsible for compiling the code, ultimately leading to repository compromises. In the most severe cases, the bot obtained GitHub tokens and used them to modify repositories directly.
Bragging Online
If causing havoc was not enough, Hackerbot-Claw also maintained an online persona, openly bragging about its achievements on the internet. The previously mentioned figure of over 47,000 repositories scanned was first revealed by Hackerbot-Claw itself on a personal brag page hosted on GitHub.
AI Gone Rogue?
As the Cybernews report suggests, it remains unclear whether the bot was originally designed to operate this way or if it began with good intentions before going rogue and spiraling out of control. If that is the case, it raises an important question: why was it not stopped? Supporting this possibility is the fact that Hackerbot-Claw claimed to operate with good intentions and presented a seemingly plausible method of operation that, if implemented safely, could have helped repositories identify vulnerabilities or issues without being compromised.
Additionally, the bot accepted cryptocurrency donations in both Ethereum and Bitcoin. However, both wallets currently show no balance, which raises another question: would a hacker bot focused solely on causing havoc genuinely request donations? Many aspects of the incident remain unanswered, particularly as the developer behind the bot remains anonymous.
Conclusion
This is a highly unusual situation. While it is not the first automated AI-driven hacking campaign, it is among the more bizarre cases and one that appears to have had a noticeable impact, affecting even projects maintained by major corporations. The full extent of the damage caused by the bot remains unclear. GitHub also appears to have responded somewhat slowly, as despite the bot being active for over a week, it was only taken down today following the publication of the previously mentioned Cybernews article.
0 Comments