A sophisticated AI-assisted supply chain attack has been targeting open source software repositories on GitHub, exploiting a well-known misconfiguration in GitHub Actions. Known as 'prt-scan,' the campaign began in early March 2026 and represents the second such attack in recent weeks to leverage automated targeting of the pull_request_target workflow trigger.

Campaign Overview

Cloud security vendor Wiz identified the campaign after initial detection by researcher Charlie Eriksen at Aikido Security. The attacker opened over 450 malicious pull requests across multiple waves using six different GitHub accounts, all linked to a single threat actor. Fewer than 10% of these attempts succeeded, but the attacker still managed to compromise at least two NPM packages and potentially access credentials from dozens of targeted repositories.

The attack began on March 11 with a testing phase involving 10 pull requests. After a two-week hiatus, the attacker resumed operations on April 2 at a velocity that strongly suggested the use of AI-enabled automation. Over a 26-hour period, the threat actor submitted roughly 475 pull requests containing a sophisticated payload designed to steal credentials and secrets from GitHub workflows.

The Vulnerability: pull_request_target

GitHub Actions allows developers to automate workflows triggered by events such as pull requests. The pull_request_target trigger is designed to run workflows in the context of the base repository rather than the forked branch, which gives the workflow access to repository secrets and elevated permissions. However, when used on untrusted pull requests without proper restrictions, it becomes a serious misconfiguration that attackers can exploit. By submitting a malicious pull request, an attacker can execute code within the repository's environment and steal API keys, cloud credentials, or other sensitive data.

This vulnerability is well documented, yet many organizations continue to use pull_request_target insecurely, making them prime targets for automated exploitation.

Attack Methodology

The prt-scan attacker followed a consistent playbook. First, they scanned public GitHub repositories to identify those using pull_request_target in their workflows. Then they forked each target repository, created a new branch with malicious code disguised as routine updates, and submitted a pull request. If the repository's workflow ran automatically, the malicious payload would execute, attempting to steal environment variables, tokens, and cloud credentials stored in GitHub secrets.

Wiz's analysis revealed that the attacker's payload was ambitious but poorly implemented. The multi-phase payload used techniques that an experienced security expert would recognize as illogical and rarely effective in practice. This suggests the threat actor may have automated the creation of exploit code but lacked a deep understanding of GitHub's permissions model. Nonetheless, the sheer volume of attempts—over 500 total—meant that even a 10% success rate translated into dozens of compromised repositories.

Interestingly, the majority of successful attacks targeted small hobbyist projects rather than high-profile organizations. The exposed credentials were often ephemeral GitHub tokens limited to the repository, rather than production cloud credentials. However, in some cases, the attacker did gain access to persistent API keys and other sensitive data.

Comparison to Previous Campaigns

The prt-scan campaign follows the 'hackerbot-claw' campaign, which occurred in late February 2026. Hackerbot-claw was more targeted and had a shorter duration, focusing on high-profile repositories. It also exploited pull_request_target but used a more conventional approach without obvious AI augmentation. In contrast, prt-scan used AI to scale the attack dramatically, hitting hundreds of targets indiscriminately.

Wiz researchers noted that the AI-assisted automation allowed a low-sophistication attacker to launch a large-scale supply chain attack with minimal effort. The campaign serves as a warning that AI tools are lowering the barrier to entry for cybercriminals, enabling them to automate reconnaissance, exploit generation, and payload delivery across thousands of potential victims.

Broader Implications for Supply Chain Security

The rise of AI-assisted attacks against open source ecosystems represents a significant shift in the threat landscape. GitHub hosts millions of repositories, and many popular NPM packages rely on automated workflows. A single successful compromise could lead to the insertion of malware into downstream projects, affecting countless users.

This campaign also highlights the importance of hardening CI/CD pipelines. Organizations should avoid using pull_request_target on untrusted forks without applying strict permissions such as explicit approval steps, secret isolation, or dummy tokens. Additionally, repository maintainers should audit their GitHub Actions configurations and remove unnecessary triggers that expose sensitive secrets.

Wiz has published indicators of compromise (IoCs) for the prt-scan campaign, including the six GitHub accounts used and specific patterns in the malicious pull requests. Security teams are urged to review their repositories for any suspicious activity matching these indicators.

Role of AI in Modern Cyber Attacks

AI tools have made it easier for attackers to automate tedious tasks such as scanning for vulnerabilities, generating exploit code, and evading detection. In the prt-scan campaign, the abrupt increase in pull request submissions after a quiet period suggests the attacker used AI to scale operations. The automated generation of fork branches, branch names, and payload content also points to AI involvement.

While the actual attack code was flawed, the speed and breadth of the campaign demonstrate how AI can amplify threat actors' reach. Security vendors and open source maintainers must adapt by deploying AI-driven defenses that can detect and block anomalous patterns at scale.

Mitigation Steps for Developers

To defend against such attacks, developers should: use the 'pull_request' trigger instead of 'pull_request_target' when possible; if pull_request_target is necessary, ensure it runs only after manual approval; limit workflow permissions to the minimum required; never run untrusted code in a context that has access to production secrets. Regularly audit third-party actions and monitor for unexpected pull request activities.

Organizations should also consider implementing runtime security controls for their CI/CD pipelines, such as secrets scanning and anomaly detection. Open source package maintainers should verify the integrity of all pull requests before merging, especially when they come from unknown contributors.

The prt-scan campaign is a stark reminder that supply chain security requires continuous vigilance. As AI tools become more accessible, the frequency and sophistication of automated attacks will likely increase. Proactive hardening of development workflows is essential to prevent future compromises.

Source: Dark Reading News