An attacker is compromising hundreds of GitHub accounts and injecting identical malware into hundreds of Python repositories. The earliest injections date to March 8, 2026, and the campaign is still active with new repos continuing to be compromised.
Readit Newsvarunsharma07 commented on Hundreds of GitHub Python Repos Compromised via Account Takeover and Force-Push stepsecurity.io/blog/forc... · Posted by u/varunsharma07
safe to say the root cause is bad PRs (untrusted)?
The root cause is workflows that grant trust to untrusted inputs: pull_request_target that checks out and executes fork code with repo secrets, ${{ }} expressions that interpolate branch names/filenames into shell commands unsanitized, and issue_comment triggers with no author_association check.
These attacks only work when maintainers opt into dangerous patterns without guardrails.
We analyzed an autonomous bot (hackerbot-claw) that's actively scanning GitHub repos for exploitable Actions workflows. It hit Microsoft, DataDog, a CNCF project, and awesome-go (140k stars) achieving RCE in 4 out of 5 targets and exfiltrating a GITHUB_TOKEN. Full breakdown of the 5 attack techniques with evidence.
cline@2.3.0 was published with a malicious post-install script that silently installs OpenClaw on any machine running npm install.