A sophisticated supply chain attack campaign that leveraged artificial intelligence to automate exploitation attempts against GitHub repositories has been uncovered by security researchers. The campaign, tracked under the moniker "prt-scan," involved more than 450 exploitation attempts against open source software projects, with the threat actor primarily targeting a well-known but often misconfigured GitHub Actions feature.

According to analysis from cloud security vendor Wiz, the campaign began in mid-March 2026 and unfolded in multiple waves. The attacker created six distinct GitHub accounts to carry out the activity, all linked to a single threat actor. While fewer than 10% of the exploitation attempts succeeded, the attacker still managed to compromise at least two NPM packages, demonstrating the potential for significant downstream damage.

How the Attack Worked

The prt-scan campaign specifically targeted repositories that used the pull_request_target trigger in GitHub Actions. This trigger automatically runs workflows in the main repository whenever a pull request is submitted, even if the request originates from an untrusted fork. The trigger provides the workflow with full repository permissions and access to stored secrets, making it a valuable target for attackers seeking to steal API keys, cloud credentials, or other sensitive data.

The attacker's playbook was systematic. First, they scanned GitHub for repositories using the vulnerable trigger. They then forked those repositories, created new branches, hid malicious code inside what appeared to be routine updates, and submitted pull requests designed to automatically execute the malicious workflow. The payloads were crafted to exfiltrate credentials, environment variables, and other secrets stored in the repository.

Wiz researchers noted that the attack chain began with a testing phase from March 11 to March 16, during which the attacker opened only 10 malicious pull requests. After a nearly two-week hiatus, the activity resumed on April 2 with dramatically increased velocity. Over a 26-hour period, the attacker opened approximately 475 pull requests — a pace that strongly suggested the use of AI-enabled automation to scale the operation.

AI Automation in Cybersecurity Threats

The prt-scan campaign is notable not only for its scale but also for its use of artificial intelligence. It marks the second such campaign in recent months where a threat actor appears to have leveraged AI to automate the targeting of widespread GitHub misconfigurations. The first, dubbed "hackerbot-claw," occurred in late February and targeted high-profile repositories with more precision but shorter duration.

Wiz observed that the prt-scan attacker used AI to generate hundreds of pull requests with payloads that appeared sophisticated on the surface. However, a deeper analysis revealed flawed implementation. The attacker demonstrated a lack of understanding of GitHub's permissions model, using techniques that would rarely work in practice. For example, the payloads attempted multi-phase credential theft but were filled with logical inconsistencies that an experienced developer would immediately recognize as suspicious.

Despite these flaws, the campaign still achieved a roughly 10% success rate, translating into dozens of compromises. The majority of successful attacks targeted small hobbyist projects, and the stolen credentials were largely ephemeral GitHub tokens rather than production cloud keys. Still, the potential for more damaging outcomes remains high as attack tools improve.

Growing Threat to Open Source Ecosystems

The open source software supply chain has become an increasingly attractive target for attackers. GitHub, as the world's largest host of open source code, is a prime vector. The pull_request_target trigger is a well-documented feature, but its misconfiguration has been repeatedly highlighted by security researchers as a risk. Many project maintainers inadvertently enable this trigger on untrusted pull requests without implementing proper restrictions, making their repositories vulnerable.

The use of AI to automate exploitation represents a significant escalation. Previously, launching a large-scale supply chain attack required substantial manual effort and coordination. Now, low-sophistication attackers can use AI tools to scan, fork, and submit malicious pull requests at scale, targeting hundreds or thousands of repositories in a fraction of the time. This democratization of attack capability poses a serious challenge to the security of the open source ecosystem.

Wiz has published indicators of compromise (IoCs) for the prt-scan campaign to help organizations detect and block similar activity. The security vendor urged organizations to harden their GitHub environments by avoiding the use of pull_request_target on untrusted forks, restricting workflow permissions, and implementing proper secret validation.

GitHub itself has provided guidance on secure configuration of Actions workflows. The company recommends using the pull_request trigger for untrusted forks instead of pull_request_target, or combining the latter with explicit permission checks and sanitization of inputs. Many security tools now also scan for this misconfiguration automatically.

The prt-scan campaign highlights the ongoing arms race between attackers and defenders in the software supply chain. While the specific campaign was limited in its success, it serves as a warning that AI-augmented automation is making it easier for threat actors to probe for weaknesses at unprecedented scale. Organizations that rely on open source components must remain vigilant, regularly audit their CI/CD pipelines, and stay informed about emerging attack techniques.

The discovery of this campaign was made on April 2 by security researcher Charlie Eriksen of Aikido Security, with subsequent deeper analysis conducted by Wiz. The campaign primarily targeted repositories configured with the vulnerable trigger, but also demonstrated that even smaller projects can be entry points for broader supply chain infiltration. As AI tools continue to evolve, the security community expects to see more such campaigns, potentially with greater sophistication and success rates.

Source: Dark Reading News