A sophisticated supply chain attack campaign, dubbed 'prt-scan' by security researchers, has been exploiting a common GitHub Actions misconfiguration to compromise open source projects. The campaign, which began in early March 2026, represents the second such AI-assisted attack in recent months, following the 'hackerbot-claw' campaign that targeted high-profile repositories in late February.

Attack Overview

The threat actor behind prt-scan used automated tools, likely augmented by artificial intelligence, to identify GitHub repositories configured with the pull_request_target workflow trigger. This trigger automatically runs workflows in the main repository when a pull request is submitted, even from untrusted forks. Because the action executes with full repository permissions, an attacker can steal API keys, cloud credentials, and other sensitive data if the workflow is not properly restricted.

Over a period of roughly three weeks, the attacker opened more than 500 malicious pull requests across six distinct waves, using six different GitHub accounts that researchers linked to a single actor. The campaign first appeared on March 11 and continued through April 2, when it was detected by Aikido Security researcher Charlie Eriksen. Subsequent analysis by cloud security vendor Wiz revealed the full scope of the operation.

Execution and Impact

The attacker's playbook involved scanning repositories for the pull_request_target trigger, forking those repositories, creating a branch with hidden malicious code disguised as a routine update, and then tricking the project into running the workflow automatically. The payload was designed to steal environment variables, tokens, and other credentials. However, despite the sophistication of the payload design, the actual implementation was flawed. Researchers at Wiz noted that the attack chain used techniques that would rarely work in practice, suggesting the attacker did not fully understand GitHub's permissions model.

Nevertheless, the sheer scale of the campaign led to dozens of successful compromises. Fewer than 10% of the exploitation attempts succeeded, but that still resulted in at least two NPM packages being compromised. In most cases, the attacks targeted small hobbyist projects, exposing only ephemeral GitHub credentials. However, the broader takeaway for organizations is the alarming ease with which AI-augmented automation can enable large-scale supply chain attacks. Low-sophistication attackers can now launch campaigns across hundreds of targets in a fraction of the time previously required.

Historical Context: The Rise of AI-Augmented Attacks

The prt-scan campaign follows closely on the heels of the hackerbot-claw campaign, which in late February exploited the same pull_request_target vulnerability to steal GitHub tokens, secrets, and cloud credentials from high-profile repositories. That campaign was shorter and more targeted, while prt-scan cast a wider net. Security researchers believe both campaigns demonstrate a growing trend: threat actors are increasingly using AI to automate reconnaissance, payload generation, and exploitation at scale.

GitHub Actions are widely used in software development for continuous integration and continuous deployment (CI/CD). The pull_request_target trigger is intended for workflows that require access to repository secrets, such as deploying code or running tests. However, when used carelessly on untrusted pull requests, it becomes a critical security hole. Despite being well-documented as a misconfiguration, many projects still enable it without proper safeguards, making them vulnerable to attacks like prt-scan.

Security Recommendations

In response to the campaign, security researchers have published indicators of compromise (IoCs) for the prt-scan attacker accounts and malicious payloads. Organizations are urged to audit their GitHub Actions workflows to identify any use of pull_request_target on untrusted forks. Where possible, workflows should be restructured to avoid exposing sensitive secrets. Alternatives include using pull_request (which runs in the context of the forked repository), or implementing strict permissions and environment restrictions.

Wiz also recommended enabling token-scoped credentials, rotating secrets regularly, and reviewing all open pull requests for suspicious activity. The security vendor emphasized that while the prt-scan campaign had a flawed execution, future AI-augmented attacks will likely become more refined, making it essential for organizations to harden their CI/CD pipelines now.

The attack highlights a broader issue in software supply chain security: the ease with which automated tools can probe and exploit misconfigurations at scale. As AI continues to lower the barrier for entry, more threat actors will adopt similar techniques. The open source community and enterprise developers alike must remain vigilant, continuously updating their security practices to keep pace with evolving attacker tactics.

While the prt-scan campaign may not have achieved deep penetration into production systems, it serves as a wake-up call. The combination of AI automation and widespread misconfiguration creates a recipe for more frequent and damaging supply chain attacks in the near future.

Source: Dark Reading News