

Illustrated by Jeff Prymowicz
For as long as we've tracked them, the people on the other end of an attack have been exactly that, people. Professionalized, well-resourced, often state-funded or running like a business, but still human, and constrained by everything that being human implies. That constraint quietly shaped a decade of defensive strategy. It is now disappearing, and the security industry has not finished absorbing what that means.
The tell we used to rely on
Here's a detail that should feel strange in hindsight: for years, some of the most sophisticated adversaries on the planet worked a normal week.
When Mandiant published its APT1 report in 2013, one of the more damning pieces of evidence wasn't a piece of malware, it was a timesheet. Operator activity clustered around standard business hours in the attackers' home timezone and fell off on weekends. Subsequent timezone-of-activity analysis across other state-aligned groups found the same pattern again and again. These were disciplined, full-time operators, and they didn't bother to mask the one thing that gave away roughly where they sat: the clock. A spike in activity that tracks Beijing or Moscow office hours is a strong attribution signal, and for a long time defenders and threat intel teams leaned on it.
That signal existed because of a deeper constraint. A human operator can only pay attention to so much. Every target watched, every exploit chain babysat, every foothold maintained costs operator-hours, and operator-hours are finite. You staffed a campaign the way you staffed anything else: people, shifts, a backlog, priorities. The expensive, scarce resource was human attention. Defense implicitly assumed it. Plenty of misconfigurations were rationally deprioritized on the logic of who is actually going to find this, and would it be worth their time?
What changed
Agentic AI removes the bottleneck entirely.
An autonomous agent doesn't keep office hours. It doesn't get tired, doesn't take weekends, and doesn't betray a timezone, because it isn't operating on human attention at all. More importantly, the attacker no longer has to watch. The historical model required a person in the loop for reconnaissance, target triage, exploitation, and the judgment calls in between. The agentic model collapses all of that into a loop that runs unattended: scan, verify, exploit, move on. The operator doesn't have to pay attention to any individual target until the system reports back that access has been granted, and by then the work is done.
Tooling like OpenClaw, the viral open-source autonomous agent framework, is the emblem of this shift. It was never built to be an attack tool, but its design (broad system access, persistent memory, the ability to chain actions and write its own code for tasks it doesn't yet know how to do) is exactly what an attacker wants, and the ecosystem around it has already been turned to that purpose at scale: tens of thousands of exposed instances exploited, malicious "skills" poisoning its marketplace, honeypots logging exploitation attempts within minutes of exposure. The category, not any single tool, is the story. The marginal cost of pointing an autonomous agent at one more target has dropped to nearly zero.
The watershed: a vulnerability scanner gets owned by a bot
If you want the moment this stopped being theoretical, it's the compromise of Trivy.
Trivy is Aqua Security's open-source vulnerability scanner, one of the most widely deployed in the world, with north of 32,000 GitHub stars and over 100 million downloads a year. In late February 2026, an autonomous agent calling itself hackerbot-claw, self-described as a Claude-Opus-powered "security research" agent, fully compromised it. The irony writes itself: a scanner whose entire job is to catch misconfigurations got taken over through exactly the class of CI/CD misconfiguration it exists to flag.
The kill chain was a textbook pull_request_target "Pwn Request", a GitHub Actions workflow that runs with the base repo's secrets but checks out attacker-controlled fork code. The agent used it to steal a Personal Access Token, then used that token to delete every release, wipe the repository, strip its 32,000 stars, and publish a malicious VSCode extension under a trusted publisher identity. It wasn't a one-off. The same campaign systematically hit at least seven major open-source repositories, including projects from Microsoft, DataDog, a CNCF project, and the 140,000-star awesome-go, between February 20 and early March.
The detail that matters most for this argument is the shape of the operation. The bot claimed to have scanned tens of thousands of repositories for vulnerable workflows, then ran five different exploitation techniques customized to each target's specific configuration. As one analysis put it, this is precisely the kind of task an agent excels at: reading a YAML file, understanding the trust boundaries, finding the gap, exploiting it, and moving to the next one. A skilled human could do any single instance of that. No human does forty-seven thousand of them.
And the blast radius is still unfolding, which validates the uncomfortable suspicion that we haven't seen the full impact reported. Trivy was compromised a second time roughly three weeks later, because containment of the first incident was incomplete: a credential harvested in the original takeover was carried over and reweaponized to poison release tags and push trojanized binaries downstream. Supply-chain compromises have a long tail, and an attacker that never has to stop watching is well-suited to wait for it.
A note on attribution, because precision matters here: hackerbot-claw was not literally "OpenClaw." Its infrastructure naming echoes the OpenClaw/MoltBot ecosystem, but whether that's a real link or just naming overlap remains unconfirmed, and there are indications a known threat group may have been involved in the follow-on activity. The point isn't which agent. The point is that the operating model, autonomous, tireless, parallelized, unattended, is now demonstrably viable against hard targets.
“This wasn’t a human attacker working weekends. This was an autonomous bot scanning repos continuously. You can’t defend against automation with manual controls – you need automated guardrails,”.
Old paradigm vs. new
The contrast is worth stating plainly, because nearly every assumption flips:
- Working hours → always on. The 9-to-5 operator is gone. There is no off-shift to wait for, no weekend lull to exploit defensively.
- Timezone tells → no timezone. One of our cleaner attribution handles evaporates. Activity timing tells you nothing about who or where.
- Operator fatigue → no fatigue. Defenses that quietly relied on attackers giving up, losing interest, or moving to easier targets are betting against a system that doesn't get bored.
- Limited parallelism → effectively unlimited. "Who would bother finding this?" is no longer a risk control. Everything reachable gets found, fast.
- Attention as the scarce resource → access as the only thing that's scarce. The economics that shaped which attacks were "worth it" no longer hold.
What defenders should take from this
A few things follow directly.
The long tail of low-priority misconfigurations is now the front line. The CI/CD footguns we've documented for years, pull_request_target checkouts, over-scoped PATs, long-lived automation tokens bridging trust boundaries, were survivable partly because exploitation required someone to go looking. That assumption is dead. If a tireless scanner will find every exposed workflow within minutes, then "unlikely to be exploited" is no longer a valid reason to defer a fix.
Attribution strategy has to shift away from operational tells like timing and toward infrastructure, tooling fingerprints, and behavioral patterns that survive automation. The clock won't help you anymore.
And containment has to become atomic. The second Trivy compromise happened because rotation wasn't clean and the attacker still held a valid credential. Against a human, a sloppy-but-fast rotation might have outrun them. Against an agent that never stops watching for the gap, partial containment is no containment.
The human attention bottleneck was an invisible load-bearing wall in our threat models. It's been removed. The building is still standing, for now, but it's worth knowing which walls were holding it up.
Sources
- Mandiant, APT1: Exposing One of China's Cyber Espionage Units (2013), operator working-hours / timezone analysis. Available from Mandiant / Google Cloud.
- StepSecurity, "Hackerbot-Claw GitHub Actions Exploitation Campaign" and "Trivy Compromised a Second Time."
- The Hacker News, "Trivy Security Scanner GitHub Actions Breached" and "Trivy Hack Spreads Infostealer."
- Cybernews, "AI bot posing as 'security researcher' hacks major GitHub repos."
- Oasis Security, "ClawJacked: OpenClaw Vulnerability Enables Full Agent Takeover."
- Flare / Cyber Security News, "Multiple Hacking Groups Exploit OpenClaw Instances."
- Bitdefender, "Technical Advisory: OpenClaw Exploitation in Enterprise Networks."
- Cybernew, “Unprecedented GitHub hacking spree”
About The Author
Michael McCabe founded Cloud Security Partners in 2017 to create and implement security solutions for a select number of clients. Since then, Cloud Security Partners has grown to become a recognized leader in cloud and application security. Michael's focus on cloud-native software security coupled with his experience in cloud infrastructure and security enables him to help companies navigate security challenges with unique and client-tailored solutions.
Over the course of his career, Michael has led teams in startups and large financial institutions and guided them through their security journeys. He leads the OWASP Northern Virginia chapter, where he coordinated countless talks and meetups that hosted industry-leading experts. He has been a featured speaker at numerous conferences about application security, cloud security, and more.
When not chasing his two young sons around, Michael enjoys biking and being an amateur mechanic.
Stay in the loop.
Subscribe for the latest in AI, Security, Cloud, and more—straight to your inbox.