A sophisticated supply chain attack leveraging artificial intelligence has been detected targeting open source software repositories on GitHub. The campaign, identified by security researchers as "prt-scan," represents a significant evolution in automated cyber threats, combining AI-assisted automation with exploitation of a known GitHub Actions misconfiguration.
Cloud security vendor Wiz analyzed the activity, which began on March 11, 2026, and unfolded in six waves using six different GitHub accounts linked to a single threat actor. The attacker opened more than 500 malicious pull requests across both small hobbyist projects and larger repositories, though fewer than 10% of the attempts were successful. Despite the low success rate, the campaign compromised at least two NPM packages and exposed ephemeral GitHub credentials in dozens of cases.
How the Attack Worked
The attack exploited the pull_request_target workflow trigger in GitHub Actions. This trigger automatically runs workflows in the main repository when a pull request is submitted, even from an untrusted fork. Because the action runs with full repository permissions and can access secrets, an attacker can use a malicious pull request to steal API keys or credentials. The misconfiguration is well documented but remains widespread among developers who fail to implement proper restrictions.
The attacker's playbook involved scanning for repositories using the vulnerable trigger, forking those repositories, creating a branch, hiding malicious code inside what appeared to be a routine update, and then tricking the project into running it automatically. The payload was designed to steal sensitive data such as cloud credentials, environment variables, and persistent API keys.
AI-Augmented Automation
The prt-scan campaign is the second in recent months where a threat actor appears to have used AI-enabled automation to scale their efforts. It follows the late-February "hackerbot-claw" campaign, which exploited the same GitHub feature but targeted high-profile repositories in a shorter, more focused manner. In contrast, prt-scan was broader, with the attacker opening hundreds of pull requests in a 26-hour period starting April 2, suggesting the use of AI-assisted automation to accelerate the attack.
Wiz researchers noted that the speed and scale of the campaign would have been difficult to achieve manually. "AI-augmented automation has made it easier for attackers to launch large scale supply chain attacks," the security vendor warned. Low-sophistication attackers can now launch new campaigns across hundreds of targets in a fraction of the time and with a fraction of the effort previously required.
Flaws in the Attack Chain
Despite the advanced payload design, the actual implementation was riddled with errors. Wiz described the attack as "sloppy" and noted that the attacker appeared to misunderstand GitHub's permissions model. "The attacker attempted a sophisticated multi-phase payload but filled it with techniques that feel illogical to an expert and would rarely work in practice," the researchers said.
For example, the payload attempted to steal credentials but often failed because the attacker did not account for the limited scope of the workflow permissions. In most cases, successful attacks only exposed ephemeral GitHub credentials that were valid only for the duration of the workflow run. The attacker did not gain persistent access to production infrastructure or cloud credentials, barring minor exceptions.
Nevertheless, the campaign achieved dozens of compromises, demonstrating that even a flawed attack can yield results at scale. The researchers included indicators of compromise (IoCs) in their report and urged organizations to harden their GitHub environments to prevent such attacks.
Background on GitHub Supply Chain Attacks
Supply chain attacks targeting GitHub have become increasingly common as organizations rely more on open source software. The pull_request_target trigger is a particular concern because it bypasses the typical safeguards for untrusted code. Developers often enable it to run tests or analyses on pull requests, but the automatic execution of workflows with full repository permissions creates a vulnerability that attackers can exploit.
The trend toward AI-augmented attacks is worrying for the cybersecurity community. Traditional supply chain attacks required careful manual targeting and significant effort to craft malicious payloads. With AI, attackers can automate the scanning, forking, and payload injection processes, dramatically increasing the scale and speed of their operations. This lowers the barrier to entry for less skilled threat actors and allows them to target hundreds or thousands of repositories simultaneously.
Security experts emphasize that the solution lies in proper configuration management. Organizations should restrict the use of pull_request_target to trusted contributors, use environment-specific secrets with minimal permissions, and implement pull request approval workflows. Additionally, automated scanning tools can detect misconfigurations before they are exploited.
Recommendations for Developers
Based on the findings from the prt-scan campaign, developers and organizations should take several steps to protect their GitHub repositories:
- Avoid using the
pull_request_targettrigger on untrusted pull requests. If necessary, combine it with explicit checks to ensure the workflow only runs from approved contributors. - Use repository-level secrets with limited scope and rotate them frequently.
- Implement pull request reviews and require manual approval before workflows run.
- Monitor for unusual pull request activity, such as a sudden influx of requests from unknown accounts.
- Deploy security scanning tools that can detect misconfigured GitHub Actions and alert administrators.
The prt-scan campaign serves as a stark reminder that even well-known vulnerabilities can be weaponized at scale with the help of AI. As AI technology continues to evolve, the cybersecurity industry must adapt its defenses to counter automated threats. Collaboration between open source maintainers, security vendors, and the developer community is essential to safeguarding the software supply chain.
Wiz's investigation highlights the dual nature of AI in cybersecurity: while it can be used by defenders to detect and respond to threats, it also empowers attackers to launch more aggressive and widespread campaigns. The key to resilience lies in proactive prevention, continuous monitoring, and a deep understanding of the platforms and tools that underpin modern software development.
Source: Dark Reading News