A sophisticated threat actor has leveraged artificial intelligence to automate a large-scale supply chain attack targeting open source software repositories on GitHub. The campaign, which security researchers have dubbed 'prt-scan,' represents a worrying escalation in how attackers can weaponize AI to exploit common misconfigurations. According to cloud security vendor Wiz, the attacker opened more than 500 pull requests across numerous projects, successfully compromising at least two NPM packages in the process.

The attack began around March 11, 2026, with a small number of test pull requests that continued through March 16. After a nearly two-week hiatus, the attacker resumed operations with dramatically increased velocity. Over a 26-hour period starting April 2, the threat actor opened approximately 475 pull requests containing malicious payloads designed to steal credentials. This rapid-fire approach suggested the use of AI-enabled automation to scan for vulnerable repositories, fork them, and submit malicious changes.

The Pull_Request_Target Vulnerability

At the heart of the campaign lies a well-documented but frequently overlooked misconfiguration in GitHub Actions: the pull_request_target trigger. Developers use GitHub Actions to automate workflows, such as testing and deployment, triggered by events like pull requests. The pull_request_target trigger is designed for scenarios where the workflow needs to run with full repository permissions, including access to secrets. However, this trigger can be dangerous when used on pull requests from untrusted forked repositories.

When a workflow is triggered by pull_request_target, it executes in the context of the base repository, not the forked one. This means it has access to repository secrets, environment variables, and cloud credentials. An attacker who submits a pull request containing malicious code can trick the workflow into executing that code, thereby exfiltrating sensitive data. GitHub documentation has long warned about this risk, but many project maintainers continue to use the trigger without proper safeguards.

In the prt-scan campaign, the attacker first scanned for repositories configured with this trigger. They then forked those repositories, created branches that appeared to contain routine updates, and embedded malicious code that would be automatically run when the workflow executed. The payloads were designed to steal GitHub tokens, cloud credentials, and other secrets stored in the repository.

Second AI-Augmented Supply Chain Campaign

The prt-scan campaign is not the first to exploit this misconfiguration. In late February 2026, a similar campaign known as 'hackerbot-claw' targeted high-profile repositories using the same technique. That campaign was shorter and more focused, with fewer but more successful exploitation attempts. While hackerbot-claw hit prominent open source projects, prt-scan cast a much wider net, targeting both small hobbyist projects and larger repositories.

Wiz researchers noted that the prt-scan campaign had a success rate of less than 10%, meaning only about 40-50 pull requests led to actual compromise. However, even this limited success resulted in several dozen compromised repositories and the extraction of credentials. In most cases, the exposed credentials were ephemeral GitHub tokens for the workflow itself, but in a few instances the attacker gained access to production infrastructure or persistent API keys.

The use of AI automation is what sets this campaign apart. Traditionally, launching such an attack required significant manual effort to identify vulnerable repositories, craft malicious payloads, and submit pull requests. With AI, the attacker could automate the entire process, dramatically scaling the attack with minimal human involvement. This democratization of supply chain attacks is a worrying trend for the cybersecurity community.

Background on GitHub Actions Misconfiguration

GitHub Actions is a continuous integration and continuous delivery platform that allows developers to automate workflows directly in their repositories. The platform supports various triggers, including push, pull_request, and the more privileged pull_request_target. The difference between the two is critical: pull_request runs in the context of the merged code from the forked repository, limiting secret access, while pull_request_target runs in the context of the base repository with full privileges.

Despite clear warnings, the pull_request_target trigger is commonly misused. Many developers use it for workflows that require secret access, such as deploying to cloud services or publishing packages. The recommended practice is to either avoid using this trigger with untrusted forks or to implement strict validation of the pull request code before execution. Alternatively, developers can use the pull_request trigger and pass secrets manually using the repository_dispatch event, though this adds complexity.

The fact that both the hackerbot-claw and prt-scan campaigns successfully exploited this misconfiguration underscores the need for better education and tooling. GitHub itself has introduced safeguards, such as requiring contributors to explicitly approve workflow runs from first-time contributors, but these protections are not always sufficient.

A Flawed Attack Chain

Despite the ambitious use of AI, the actual attack implementation in the prt-scan campaign was surprisingly sloppy. Wiz researchers found that the attacker's payloads contained multiple techniques that were illogical or redundant, suggesting a lack of deep understanding of GitHub's permission model. For example, the attacker attempted to execute a multi-stage payload that included attempts to read secrets from the file system, use GitHub's metadata API, and exfiltrate data via DNS queries. However, many of these techniques overlapped or were misconfigured.

One notable flaw was that the attacker often failed to properly hide their malicious code. In some cases, the payload was clearly visible in the pull request diff, alerting maintainers to the attack. In others, the code used deprecated or non-existent GitHub API endpoints, causing the workflow to fail outright. This suggests that while AI can automate the process of finding targets and submitting pull requests, it still struggles to generate coherent and effective payloads.

Nevertheless, the campaign succeeded in compromising systems. Wiz identified at least two NPM packages that were taken over by the attacker, potentially exposing users of those packages to malicious updates. The full extent of the damage is still under investigation, but the incident serves as a stark reminder of the risks inherent in the open source ecosystem.

Implications for the Cybersecurity Industry

The prt-scan campaign highlights several important lessons for organizations and open source maintainers. First, it demonstrates that AI is rapidly lowering the barrier to entry for launching sophisticated supply chain attacks. Even attackers with limited technical skills can now leverage AI to scale their operations, turning what was once a manual, target-rich environment into an automated, high-velocity assault.

Second, the campaign underscores the importance of securing GitHub Actions workflows. Maintainers should review their use of pull_request_target and consider alternatives. If the trigger must be used, they should implement additional checks, such as requiring manual approval for pull requests from unknown authors, using environment-specific secrets, or running workflows in a sandboxed environment.

Third, the incident calls for greater vigilance in the open source community. Dependency management tools should be updated to detect and block compromised packages. The NPM ecosystem, in particular, has been a frequent target for supply chain attacks, and the compromise of even a few packages can have cascading effects across the software supply chain.

Finally, the campaign highlights the need for collaborative threat intelligence. Wiz and Aikido Security shared indicators of compromise (IoCs) related to the prt-scan campaign, allowing organizations to detect and block malicious activity. Such cooperation is essential for mounting an effective defense against AI-assisted attacks.

As the cybersecurity industry grapples with the implications of AI, the prt-scan campaign serves as a precursor to what is likely to become a common attack vector. The combination of automation, misconfiguration, and open source dependency creates a perfect storm for supply chain compromise. Organizations must act now to harden their development pipelines, educate their developers, and adopt security tools capable of detecting AI-generated attacks.

Source: Dark Reading News