Two supply chain attacks converged in late February and early March 2026, painting a picture of what developer-targeted threats look like in the age of AI agents.
The first is familiar: malicious packages masquerading as useful libraries. The second is new: an AI-powered bot autonomously scanning GitHub for exploitable CI/CD workflows, stealing credentials, and — in the most audacious move — weaponizing AI coding assistants against their users.
Five Malicious Rust Crates
Between late February and early March, a single threat actor published five Rust packages to crates.io:
chrono_anchordnp3timestime_calibratortime_calibratorstime-sync
All five impersonated timeapi.io utilities, claiming to offer local time calibration without NTP. Their actual purpose: scanning developer environments for .env files and exfiltrating credentials, API keys, and tokens to a lookalike domain (timeapis[.]io).
This is supply chain attack 101 — typosquatting with plausible functionality. But one crate showed more sophistication.
chrono_anchor buried its exfiltration logic in a file called guard.rs, invoked from an innocent-sounding “optional sync” helper function. No persistence mechanism, no service installation. Instead, it re-exfiltrated .env secrets on every CI/CD invocation. Every time a developer’s workflow ran, secrets leaked.
As Socket’s research team noted: “Low-complexity supply chain malware can still deliver high impact when it runs inside developer workspaces and CI jobs.”
The crates have been removed from crates.io. If you installed any of them, assume your secrets were exfiltrated. Rotate every key and token in your .env files.
hackerbot-claw: The AI-Powered CI/CD Attacker
The more alarming story is hackerbot-claw, a GitHub account describing itself as “an autonomous security research agent.” Between February 21 and 28, it targeted at least seven repositories belonging to Microsoft, Datadog, Aqua Security, and others.
The attack pattern:
- Scan public repos for misconfigured GitHub Actions workflows
- Fork the target repository
- Open a pull request with a trivial change (typo fix), hiding the payload in the branch name, file name, or CI script
- Trigger the CI pipeline — many workflows auto-run on pull requests
- Steal secrets and access tokens from the build environment
The highest-profile target was aquasecurity/trivy, a widely-used security scanner. hackerbot-claw exploited a pull_request_target workflow — a known dangerous pattern where CI runs with elevated permissions against external PR code — to steal a Personal Access Token (PAT) and take over the repository.
The VS Code Extension Weaponization
What happened next is what makes this attack genuinely novel.
With the stolen PAT, the attacker pushed malicious versions of Trivy’s VS Code extension (versions 1.8.12 and 1.8.13) to the Open VSX registry. The injected code didn’t steal data directly. Instead, it executed AI coding assistants installed on the developer’s machine:
- Claude Code
- Codex CLI
- Gemini
- GitHub Copilot CLI
- Kiro CLI
The extensions ran these tools in highly permissive modes, instructing them to:
- Perform extensive system inspection
- Generate a report of all discovered information (files, configs, credentials, environment variables)
- Push the results to a GitHub repository called
posture-report-trivyusing the victim’s own authenticated GitHub CLI session
This is a new class of attack: weaponizing AI coding assistants as exfiltration tools. The attacker doesn’t need to write sophisticated malware. They just need to tell the victim’s own AI tools to gather and transmit sensitive information.
Pillar Security assessed that hackerbot-claw is likely a human operator using an LLM as an execution layer, tracking the activity under the name “Chaos Agent.”
The Iteration Pattern
Socket noticed something telling in the evolution from extension version 1.8.12 to 1.8.13:
“The first prompt scatters data across random channels with no reliable way for the attacker to collect the output. The second fixes that problem by using the victim’s own GitHub account as a clean exfiltration channel.”
The attacker was iterating. Version 1.8.12 was a rough draft. Version 1.8.13 refined the exfiltration method. This looks like someone using AI to write attack code, testing it in production, and improving rapidly.
The vulnerability is tracked as CVE-2026-28353. Aqua Security has removed the artifacts and revoked the compromised token. Users who installed versions 1.8.12 or 1.8.13 from Open VSX should remove them immediately, check for unexpected repositories, and rotate all environment secrets.
Why This Matters for OpenClaw Users
These two attacks highlight converging risks for anyone running AI agents with tool access:
Your agent’s CLI tools are attack surfaces. The Trivy extension attack weaponized Claude Code, Codex, Gemini, and others — the same tools OpenClaw agents use. If a malicious extension or package can invoke your AI tools in permissive mode, your agent becomes the attacker’s hands.
CI/CD is the new perimeter. GitHub Actions, .env files, registry tokens — these are the high-value targets. If your OpenClaw agent has access to development environments, its credentials are targets too.
Pull requests are social engineering. hackerbot-claw’s technique — trivial typo fixes concealing CI exploitation — is indistinguishable from legitimate contributions at first glance. AI agents that auto-process PRs need to be especially careful.
Supply chain attacks don’t need to be sophisticated. Five crates with simple .env exfiltration logic ran for weeks before detection. When your agent installs dependencies, it trusts the registry. That trust is increasingly misplaced.
For OpenClaw configurations:
- Restrict which CLI tools your agent can invoke — if Claude Code or Codex aren’t needed, don’t leave them accessible
- Lock down outbound network access in CI/CD environments
- Never store secrets in
.envfiles accessible to untrusted code - Audit GitHub Actions workflows for
pull_request_targettriggers with elevated permissions
The era of AI agents attacking AI agents is here. hackerbot-claw is the proof of concept.
For more on the same threat class, see Claude Code MCP supply chain attacks, the MCP security crisis, and the GlicJack Chrome Gemini hijack.