Security: Branch name injection in `pr-auto-commit.yaml` — actively exploited by hackerbot-claw

[varunsh-coder]

Summary

The pr-auto-commit.yaml workflow is vulnerable to shell command injection via branch names. The ${{ github.event.pull_request.head.ref }} expression is interpolated directly into run: blocks without sanitization, allowing an attacker to execute arbitrary commands on the GitHub Actions runner with access to repository secrets (including AUTO_COMMIT_PAT).

This vulnerability has already been exploited. On March 2, 2026, the account hackerbot-claw — an autonomous bot that has been attacking CI/CD pipelines across major open source projects — opened two PRs (#7308, #7309) with a malicious branch name designed to trigger code execution. The payload partially executed on the CI runner but failed due to a base64 encoding issue — not because of any security control.

Vulnerable Code

File: .github/workflows/pr-auto-commit.yaml

Primary injection point — "Push formatting changes" step (line ~97):

- name: Push formatting changes
  if: steps.check-changes.outputs.has_changes == 'true'
  run: |
    git push origin HEAD:${{ github.event.pull_request.head.ref }}

Secondary injection point — "Comment on PR" step (line ~119):

git pull origin ${{ github.event.pull_request.head.ref }}

Because the workflow uses pull_request_target, it runs in the context of the base repository with access to secrets and write permissions. The attacker controls the branch name (head.ref) via their fork.

Evidence from workflow runs

• Run 22563211110 (PR Update bench.sh #7308): The injection step was skipped because has_changes was false — the trivial change to bench.sh didn't trigger formatting differences.

• Run 22563415110 (PR Update execution.rs #7309): The injection step executed. The build log shows base64: invalid input, confirming the shell evaluated the command substitution. The full payload failed due to an encoding issue in the branch name, but the base64 -d command did run on the runner.

Impact

If the payload had succeeded, the attacker would have had access to:

• AUTO_COMMIT_PAT — a Personal Access Token available as a secret in this workflow, which could be used to push commits, modify code, or potentially take over the repository (similar to what happened to aquasecurity/trivy in the same campaign)
• GITHUB_TOKEN with contents: write and pull-requests: write permissions

Context

https://www.stepsecurity.io/blog/hackerbot-claw-github-actions-exploitation

[varunsh-coder]

Tagging @youknowone @coolreader18

[youknowone]

Thank you so much for the report! Does #7310 fixed this issue?

[linghengqian]

It appears the attacker deleted their GitHub account, making it impossible to verify if any other unpatched vulnerabilities exist. Frankly, I'm not sure if the account deletion was done by a human or by OpenClaw; the whole incident seems particularly absurd.

[fanninpm]

It appears the attacker deleted their GitHub account, making it impossible to verify if any other unpatched vulnerabilities exist. Frankly, I'm not sure if the account deletion was done by a human or by OpenClaw; the whole incident seems particularly absurd.

I hope you're not thinking that @varunsh-coder was the one who set up the hackerbot-claw account in the first place.

[linghengqian]

It appears the attacker deleted their GitHub account, making it impossible to verify if any other unpatched vulnerabilities exist. Frankly, I'm not sure if the account deletion was done by a human or by OpenClaw; the whole incident seems particularly absurd.

I hope you're not thinking that @varunsh-coder was the one who set up the hackerbot-claw account in the first place.

I obviously wouldn't think that way. After all, I noticed this bot account from rancher-sandbox/rancher-desktop#9942 .

[youknowone]

Though the article says attack to RustPython was not successful, I replaced PAT to new token yesterday.

[youknowone]

different attack happened but the behavior was very smilar: #7369

tags were deleted