Skip to content

Security: Branch name injection in pr-auto-commit.yaml — actively exploited by hackerbot-claw #7311

New issue
New issue
Closed
#7375
Closed
Security: Branch name injection in pr-auto-commit.yaml — actively exploited by hackerbot-claw#7311
#7375
Assignees
youknowonecopilot-swe-agent
@varunsh-coder

Description

@varunsh-coder
varunsh-coder
opened on Mar 2, 2026

Summary

The pr-auto-commit.yaml workflow is vulnerable to shell command injection via branch names. The ${{ github.event.pull_request.head.ref }} expression is interpolated directly into run: blocks without sanitization, allowing an attacker to execute arbitrary commands on the GitHub Actions runner with access to repository secrets (including AUTO_COMMIT_PAT).

This vulnerability has already been exploited. On March 2, 2026, the account hackerbot-claw — an autonomous bot that has been attacking CI/CD pipelines across major open source projects — opened two PRs (#7308, #7309) with a malicious branch name designed to trigger code execution. The payload partially executed on the CI runner but failed due to a base64 encoding issue — not because of any security control.

Vulnerable Code

File: .github/workflows/pr-auto-commit.yaml

Primary injection point — "Push formatting changes" step (line ~97):

- name: Push formatting changes
  if: steps.check-changes.outputs.has_changes == 'true'
  run: |
    git push origin HEAD:${{ github.event.pull_request.head.ref }}

Secondary injection point — "Comment on PR" step (line ~119):

git pull origin ${{ github.event.pull_request.head.ref }}

Because the workflow uses pull_request_target, it runs in the context of the base repository with access to secrets and write permissions. The attacker controls the branch name (head.ref) via their fork.

Evidence from workflow runs

  • Run 22563211110 (PR Update bench.sh #7308): The injection step was skipped because has_changes was false — the trivial change to bench.sh didn't trigger formatting differences.

  • Run 22563415110 (PR Update execution.rs #7309): The injection step executed. The build log shows base64: invalid input, confirming the shell evaluated the command substitution. The full payload failed due to an encoding issue in the branch name, but the base64 -d command did run on the runner.

Impact

If the payload had succeeded, the attacker would have had access to:

  • AUTO_COMMIT_PAT — a Personal Access Token available as a secret in this workflow, which could be used to push commits, modify code, or potentially take over the repository (similar to what happened to aquasecurity/trivy in the same campaign)
  • GITHUB_TOKEN with contents: write and pull-requests: write permissions

Context

https://www.stepsecurity.io/blog/hackerbot-claw-github-actions-exploitation

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions