What is Lyrie Research?

Lyrie Research is an autonomous cybersecurity intelligence platform publishing verified threat intelligence including critical CVEs, active exploitation reports, breach analysis, and original research — every article cross-validated by 3+ primary sources.

How does Lyrie.ai protect against rogue AI threats?

Lyrie.ai uses machine-speed autonomous defense to detect and neutralize rogue AI, prompt injection, and AI supply chain attacks. It responds before human analysts can react.

What cybersecurity topics does Lyrie Research cover?

Lyrie Research covers CVE deep dives, CISA KEV actively exploited vulnerabilities, data breach forensics, original cybersecurity research, and AI threat intelligence including agent-based attacks.

How often is Lyrie Research updated?

Lyrie Research is updated continuously by the autonomous Lyrie Sentinel engine, publishing new threat intelligence multiple times daily as new CVEs, exploits, and breaches are confirmed.

Is Lyrie Research free to access?

Yes, all articles on Lyrie Research are freely accessible. For active protection by the same intelligence engine, visit lyrie.ai.

← Supply-Chain

0 sources verified·10 min read

By Lyrie Threat Intelligence·4/26/2026

The Scanner That Got Scanned: Trivy's Double Breach, Hackerbot-Claw, and the AI-Automated Future of GitHub Actions Supply Chain Attacks

TL;DR: Trivy — one of the most trusted vulnerability scanners in the DevSecOps ecosystem — was breached twice in March 2026. An AI-powered bot named Hackerbot-claw exploited a misconfigured GitHub Actions workflow, exfiltrated a write-permission token, and force-pushed malicious artifacts into Trivy's VSCode extension and Docker images. A second attacker then force-poisoned 75 of 76 version tags, hitting 10,000+ downstream repos. The root cause: a "pwn request" workflow flaw, non-atomic secret rotation, and the industrialization of GitHub Actions scanning via AI bots. The prt-scan campaign (450+ attempts) confirms this is no longer a one-off — it's a playbook.

Background: Why Trivy Is a High-Value Target

Trivy is Aqua Security's flagship open-source vulnerability scanner. It scans Docker images, filesystems, Git repositories, and infrastructure-as-code for vulnerabilities, misconfigurations, and secrets. It runs natively inside GitHub Actions workflows across hundreds of thousands of organizations. It carries an official GitHub verified badge. It is the kind of tool that security teams trust implicitly — which is precisely what makes it a tier-one supply chain target.

If you can compromise Trivy's GitHub Action, you don't just compromise Trivy. You compromise every CI/CD pipeline that calls aquasecurity/trivy-action@v*. You get runner-level code execution, access to all secrets injected into that workflow, and the ability to poison artifacts further downstream.

This is the calculus the attackers understood.

Attack Timeline

February–March 1, 2026: Hackerbot-Claw Opens Fire

Starting in late February 2026, a campaign Grip Security and StepSecurity would later name Hackerbot-claw began systematically scanning open-source GitHub repositories for a specific class of misconfigured workflow: the pull_request_target trigger, also called the "pwn request" vulnerability.

On March 1, StepSecurity published its research revealing the scope: Microsoft repositories, DataDog projects, and multiple CNCF-hosted repos had all been targeted during a 10-day campaign. The bot was not manually operated. It used AI-assisted automation to:

1. Enumerate public repositories with pull_request_target-triggered workflows

2. Identify whether those workflows ran untrusted code from forked PRs without adequate sandboxing

3. Automatically fork the repository, inject a payload, and open a pull request

4. Wait for the workflow to execute — then harvest credentials from the runner environment

The Trivy repository fell victim. A workflow misconfiguration gave the forked PR's code access to repository-scoped secrets including a GitHub token with write permissions. The exfiltration succeeded.

What Hackerbot-Claw Did With Write Access

Once the attackers held a Trivy write token, they moved through a short but impactful kill chain:

Made the repository private and renamed it — a disorientation tactic designed to temporarily disable the 10,000+ repos pinning to the action
Deleted GitHub releases — removing the legitimate release history and audit trail
Pushed a malicious artifact into Trivy's VSCode extension on Open VSX — the extension marketplace used by non-Microsoft editors

Aqua Security's incident response removed the malicious extension, restored the repository, rotated secrets, and republished the latest version. What they could not fully guarantee: whether credential rotation was atomic.

March 20, 2026: The Second Breach — Tag Poisoning

Nineteen days later, the Trivy repository was attacked again.

This time the vector was different. The attacker — working from what Socket.dev's research confirmed was the residual access retained from the initial breach — force-pushed 75 of 76 version tags in the Trivy GitHub Actions repository. They did not need to exploit GitHub itself. They authenticated as a legitimate principal with write access, a position they had maintained through the incomplete rotation.

Socket researcher Philipp Burckhardt's analysis revealed a three-stage payload injected into the repository's entrypoint.sh:

Stage 1 — Secret Collection: The payload scanned the runner's process memory and environment for any injected secrets — GitHub tokens, AWS credentials, npm publish tokens, SSH keys, cloud API keys. Everything the CI pipeline had been given access to.

Stage 2 — Encryption: Collected secrets were encrypted before exfiltration, making in-transit detection harder and ensuring the payload could not be trivially intercepted by network inspection.

Stage 3 — Exfiltration: The encrypted blob was transmitted to attacker-controlled infrastructure.

The scope was substantial: any of the 10,000+ repositories that referenced aquasecurity/trivy-action using a mutable tag (e.g., @v0.69.4) — as opposed to a pinned commit SHA — automatically executed the malicious entrypoint.sh in their runners.

March 22, 2026: Docker Hub Compromise Discovered

Two days later, Socket published an update: compromised Docker images had appeared on Docker Hub. Tags 0.69.4, 0.69.5, and 0.69.6 all contained the same infostealer payload. The latest tag had pointed to a malicious image during the exposure window. The blast radius extended beyond GitHub Actions into any environment pulling Trivy Docker images for offline or air-gapped scanning.

Technical Deep-Dive: The "Pwn Request" Vulnerability Class

The Hackerbot-claw campaign succeeded because of one of the most well-documented — and chronically under-remediated — GitHub Actions vulnerability classes: the pull_request_target workflow trigger.

# This workflow pattern is dangerous when combined with
# untrusted code execution from forked PRs
on:
  pull_request_target:
    types: [opened, synchronize]
jobs:
  run-checks:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          ref: ${{ github.event.pull_request.head.sha }}  # <-- DANGER: checks out PR code
      - run: ./scripts/lint.sh  # <-- executes untrusted code with repo-scoped permissions

The pull_request_target trigger was designed to allow workflows in forks to access secrets and write permissions — necessary for commenting on PRs, adding labels, or publishing results. The problem: when developers combine it with a checkout of the PR's HEAD commit, they hand untrusted code the same elevated access the trigger provides.

An attacker who knows what to look for can:

1. Find repos using this pattern via GitHub's code search API

2. Fork the repo

3. Inject their payload into the checked-out script

4. Open a PR and wait for the CI workflow to self-execute

Hackerbot-claw automated all five steps. That is what makes this qualitatively different from manual exploitation.

The prt-scan Campaign: Industrialization Confirmed

While the Trivy post-mortem was playing out, Wiz's threat research team was tracking a parallel campaign that confirmed the trend: GitHub Actions exploitation has been industrialized.

The campaign, traced through branch naming patterns, operated under multiple GitHub accounts: testedbefore, beforetested-boop, 420tb, 69tf420, elzotebo, and ezmtebo. Its methodology:

1. Scan for public repos with pull_request_target triggers

2. Fork the repository

3. Create a branch with the naming convention prt-scan-{12-hex-chars} — a programmatic fingerprint that made attribution possible

4. Inject a malicious payload into a file executed during CI

5. Open a pull request

6. On successful trigger: harvest credentials, then attempt to publish malicious npm packages under the victim developer's identity

Across 450+ documented exploit attempts, Wiz observed a success rate below 10%. That sounds low. It isn't. At 450 attempts, even a 9% success rate yields 40+ compromised developer environments, each of which can cascade into downstream package poisoning.

The prt-scan campaign also referenced the TeamPCP/LiteLLM method in its payload comments — a detail that ties this attacker cluster to the broader April 2026 npm supply chain siege, suggesting shared tooling or crew overlap with the CanisterWorm and Namastex campaigns.

Root Cause Analysis: What Actually Went Wrong

Three systemic failures compounded into the Trivy double breach:

1. Workflow Misconfiguration (Structural)

The pull_request_target + untrusted checkout combination is a known anti-pattern. GitHub's own documentation warns against it. Yet it persists across thousands of repositories because the original workflow designers either didn't know or made a conscious tradeoff for feature functionality. The "Hackerbot-claw" campaign demonstrated that AI-assisted scanning can find these patterns at scale faster than human auditors can remediate them.

2. Non-Atomic Secret Rotation (Operational)

After the first breach, Aqua Security rotated secrets. But rotation is only effective if it is instantaneous and complete — if every valid credential from the pre-rotation window is simultaneously invalidated. What Trivy's maintainers acknowledged: "the rotation process was not fully atomic, and the attacker may have retained access to newly issued credentials." This gave the threat actor a 19-day window between breach and second compromise.

3. Mutable Tag References (Architectural)

The 10,000+ downstream repos that were impacted all shared one characteristic: they pinned to a mutable tag like aquasecurity/[email protected] rather than an immutable commit SHA like aquasecurity/trivy-action@abc123def456.... Mutable tags can be force-pushed. When they are, every workflow that references them runs the new, attacker-controlled code on next trigger — with no change required in the consuming repository.

Indicators of Compromise

| Indicator | Type | Notes |

|---|---|---|

| hackerbot-claw | GitHub username / campaign name | Initial Trivy exfiltration actor |

| testedbefore, beforetested-boop, 420tb, 69tf420, elzotebo, ezmtebo | GitHub usernames | prt-scan campaign accounts |

| Branch pattern prt-scan-[a-f0-9]{12} | Git branch naming | prt-scan exploitation branches |

| Trivy Docker tags 0.69.4, 0.69.5, 0.69.6 | Docker Hub | Malicious images (removed, March 22) |

| entrypoint.sh modifications in aquasecurity/trivy-action | File path | Payload delivery vector (March 20) |

| Unexpected VSCode extension artifact in Open VSX | Build artifact | March 1 malicious push |

| Runner secret exfil to external IP | Network behavior | Stage 3 payload output |

Lyrie Take: The AI-Automated Supply Chain Threat Is Here

Hackerbot-claw is not a curiosity. It is a proof-of-concept for a class of attack that Lyrie's threat intelligence has been tracking since late 2025: AI-assisted enumeration and exploitation of CI/CD misconfigurations at scale.

The economics are what should alarm you. Manual GitHub Actions auditing requires a security researcher to read YAML, understand workflow trigger semantics, fork repos, craft payloads, and manage exploitation timing. Skilled work. At 10 repos per day per researcher.

An AI-powered bot does the same work across thousands of repos per hour. The Hackerbot-claw campaign targeted Microsoft, DataDog, and CNCF projects — organizations with mature security programs — and succeeded against Trivy, a security tool created by a security company. If Aqua Security's own repo is not safe from this, your organization's repos almost certainly have the same pattern lurking somewhere in workflow YAML.

The Trivy case also illustrates a failure mode that Lyrie considers critical in 2026: the trusted tool as entry point. Security scanners, linters, test frameworks, and dependency auditors all run in CI with elevated privileges. They're trusted by definition. Compromise one and you've subverted the entire concept of DevSecOps pipeline security.

The anti-rogue-AI defense angle is direct: Hackerbot-claw is an early instance of autonomous offensive AI operating in the wild. It didn't achieve RCE at machine speed — it achieved credential harvest at machine speed. The progression from here is obvious. Lyrie's autonomous detection layer is designed to identify AI-generated exploitation patterns — the programmatic branch naming, the burst-mode PR creation, the non-human timing of workflow triggers — before the pipeline executes.

Defender Playbook

Immediate (this week):

1. Audit all pull_request_target workflows. Search your organization: grep -r "pull_request_target" .github/workflows/. For every hit, verify the workflow does NOT also checkout the PR HEAD or execute untrusted code.

2. Pin Actions to commit SHAs, not tags. Replace uses: aquasecurity/[email protected] with uses: aquasecurity/trivy-action@<full-commit-sha>. Tools like Dependabot and Renovate can automate this.

3. Audit GitHub token scopes. Confirm no workflow grants write permissions (contents: write, packages: write) unless strictly necessary. Use permissions: {} by default and elevate only what is needed.

4. Rotate all secrets if you've used mutable Trivy action tags before March 22, 2026. Assume your runners executed the malicious payload. Rotate all GitHub tokens, cloud credentials, npm tokens, and SSH keys stored as repo secrets.

Short-term (this month):

5. Deploy StepSecurity Harden-Runner or equivalent. Instrument your GitHub Actions runners to detect unexpected network egress from CI jobs. The Trivy payload exfiltrated encrypted blobs — that network call would have been anomalous in a properly monitored environment.

6. Enable GitHub's "Require approval for all outside collaborators" setting. This prevents fork PRs from automatically triggering workflows without maintainer review.

7. Subscribe to GitHub's security advisories for Actions you use. GitHub sends security advisories for compromised Actions. Treat these with P1 incident response priority.

Systemic (this quarter):

8. Inventory your entire Actions dependency graph. Know every third-party Action you call, what version you pin, and whether that pin is a SHA or a mutable tag.

9. Implement a SLSA L3+ build provenance requirement. SLSA (Supply-chain Levels for Software Artifacts) Level 3 requires cryptographic provenance attestation for every build. It makes tag-poisoning attacks observable.

10. Run periodic prt-scan pattern detection. Look for new PRs from accounts with no contribution history, branch names matching prt-scan-* or similar patterns, and CI trigger activity from forked repos you don't recognize.

Sources

1. Grip Security / Security Boulevard — "GitHub Actions Supply Chain Attack: Trivy Breach & Workflow Risks Explained" (April 15, 2026): https://securityboulevard.com/2026/04/github-actions-supply-chain-attack-trivy-breach-workflow/

2. StepSecurity — "Hackerbot-claw: An AI-Powered Bot Actively Exploiting GitHub Actions — Microsoft, DataDog, and CNCF Projects Hit So Far" (March 1, 2026): https://www.stepsecurity.io/blog/hackerbot-claw-github-actions-exploitation

3. Socket.dev — "Trivy Under Attack Again: Widespread GitHub Actions Tag Compromise Exposes CI/CD Secrets" (March 20, 2026): https://socket.dev/blog/trivy-under-attack-again-github-actions-compromise

4. Socket.dev — "Unauthorized AI Agent Execution Code Published to OpenVSX in Aqua Trivy VSCode Extension" (March 2026): https://socket.dev/blog/unauthorized-ai-agent-execution-code-published-to-openvsx-in-aqua-trivy-vs-code-extension

5. The Hacker News — "Self-Propagating Supply Chain Worm Hijacks npm Packages to Steal Developer Tokens" (April 24, 2026): https://thehackernews.com/2026/04/self-propagating-supply-chain-worm.html

6. Wiz Threat Research — prt-scan campaign analysis (embedded in THN report, April 24, 2026)

7. The Register — "Another npm supply chain worm hits dev environments" (April 22, 2026): https://www.theregister.com/2026/04/22/another_npm_supply_chain_attack/

Lyrie.ai Cyber Research Division — Senior Analyst Desk