Trending Topics

Update: Hackerbot-Claw-Led Campaign Targets Major GitHub Repositories

Cybersecurity researchers at Pillar Security have uncovered Hackerbot-Claw (also known as Chaos Agent), the first recorded case of an autonomous AI agent conducting a coordinated cyberattack using only natural language. Over a 37-hour campaign in late February 2026, the AI systematically targeted GitHub repositories managed by Microsoft, DataDog, and Aqua Security, exploiting misconfigured CI/CD pipelines to inject malicious commands. The attack began on February 27 with rapid strikes against Microsoft and DataDog, prompting an emergency patch within 13 hours, and escalated when Aqua Security’s Trivy project was breached, leading to the deletion of 97 software releases and nearly 32,000 repository stars. Using a 2,000-word promptware payload, Hackerbot-Claw manipulated developer AI assistants such as Copilot, Gemini, and Claude to exfiltrate sensitive data, including API keys and cloud credentials, by replacing traditional exploit code with crafted natural language. The only successful defense came from the Ambient Code project, whose AI agent, Claude Code, identified and blocked the attack within 82 seconds. Pillar’s analysis indicates potential human oversight guiding the automated activity and warns that, while the campaign has ended, the methods demonstrated, particularly the weaponization of AI assistants, set a dangerous new precedent for adversarial operations.

Handala Hacktivists Intensify Cyber Campaign Amid Escalating Regional Conflict

Since its emergence in late 2023, the pro-Palestinian hacktivist collective Handala, also known as Handala Hack Team, Hatef, or Hamsa, has conducted recurring cyber operations targeting Israeli interests and allied organizations. The group’s campaigns combine tactical intrusions, large-scale data leaks, and information warfare as instruments of political messaging. In March 2026, amid heightened tensions between Iran, the U.S., and Israel, Handala claimed major operations that included the compromise of Jerusalem’s water systems, resulting in the exfiltration of approximately 423GB of sensitive data and significant infrastructure disruption, followed by the paralysis of governmental weather stations and alleged infiltration of Jerusalem’s security camera networks. These actions, portrayed as retaliatory strikes for Iranian infrastructure attacks, highlight the group’s use of multi-stage intrusion chains involving phishing, privilege escalation, and destructive wiper malware designed to erase systems and exfiltrate operational data. Handala’s communications, often released on Telegram or mirrored on anonymous platforms, emphasize psychological and strategic impact, blending digital sabotage with propaganda and claims of sustained access to “secure” environments. Their statements frequently frame cyber activity as a continuation of armed and political struggle, asserting ideological alignment with Iranian leadership. The group’s claimed ability to access surveillance feeds and public infrastructure underscores a broader trend: the growing weaponization of civilian technologies for reconnaissance and influence operations. Analysts note parallels with both Russian and Iranian cyber tactics, suggesting that Handala’s operations reflect the evolution of modern hybrid warfare, in which open-source tools, compromised IoT devices, and public communications converge into persistent instruments of political and psychological conflict in cyberspace.

Russian Cyber Operators Target Signal and WhatsApp Accounts in Global Credential Hijacking Campaign

Dutch intelligence agencies AIVD and MIVD have disclosed a large-scale Russian cyber campaign aimed at compromising Signal and WhatsApp accounts belonging to government officials, journalists, and military personnel worldwide. Rather than breaking encryption, attackers exploit social engineering to trick users into surrendering verification codes or PINs, granting full access to the accounts. According to the agencies, threat actors approach targets directly through the apps, sometimes masquerading as legitimate support bots, to request one-time codes that enable them to log in, mirror conversations, and silently monitor communications. The campaign also abuses Signal’s linked devices feature to connect attacker-controlled devices and replicate messages in real time. Dutch authorities confirm that victims include government employees, warning that sensitive data may already have been exposed. The incident underscores an enduring truth in secure communications: end-to-end encryption protects data in transit, but not if an attacker authenticates as the user. AIVD and MIVD have issued formal guidance advising users to safeguard their six-digit verification codes and watch for compromise indicators, such as duplicated contacts or unexpected “deleted account” notifications. Security experts note that this operation reflects Russia’s continued emphasis on human-centered attack vectors and counterintelligence targeting, relying not on technical exploitation, but on persuading individuals to hand over their digital keys.