OpenSSF Siren published a TLP:CLEAR advisory (March 1, 2026) about an ongoing attack campaign called “hackerbot-claw”. This is being exploited in the wild right now.
Advisory:
- https://lists.openssf-vuln.org/g/siren/topic/security_advisory_active/118095011
- https://www.stepsecurity.io/blog/hackerbot-claw-github-actions-exploitation
What they’re doing
Attackers are scanning public repositories for weak GitHub Actions setups and chaining together common CI mistakes, for example:
- Misusing
pull_request_target - Checking out and running fork code in privileged workflows
- Modifying scripts in PRs that later get executed by CI
- Injecting shell via untrusted expressions like
${{ github.event.pull_request.title }} - Sneaking commands through branch names or file paths
A simple but dangerous example:
run: echo "${{ github.event.pull_request.title }}" | sh
If you interpolate untrusted ${{ }} values directly into run: steps, you’re effectively handing the shell attacker-controlled input.
The underlying issues are not new. The security community has warned about these patterns for years. What’s different now is automation. This campaign appears to use AI to scan and exploit repositories at scale. Weak configurations don’t stay unnoticed anymore.
What I’d recommend
- Avoid
pull_request_targetunless you really need it - Never run untrusted fork code in privileged workflows
- Don’t expand untrusted
${{ }}expressions directly in shell commands - Explicitly restrict
GITHUB_TOKENpermissions (default tocontents: read) - Require review for changes under
.github/workflows/* - Pin third-party actions by commit SHA
- Rotate secrets if you’re unsure what may have run
It’s also worth adding automated checks:
We recently enabled zizmor in Elixir:
https://github.com/elixir-lang/elixir/pull/15114
If you maintain BEAM projects, it’s a good moment to re-check your workflows.
