A sophisticated, AI-assisted supply chain attack campaign has been targeting open source software repositories on GitHub, exploiting a well-known but widespread misconfiguration. Dubbed "prt-scan" by cloud security vendor Wiz, the operation involved over 450 malicious pull requests aimed at stealing credentials and sensitive data from project maintainers.

Discovered on April 2 by security researcher Charlie Eriksen of Aikido Security, the campaign was later traced back to March 11 by Wiz investigators. Analysis revealed six distinct waves of attacks originating from six different GitHub accounts, all likely controlled by a single threat actor. The attacker leveraged automated tools, almost certainly augmented by artificial intelligence, to scan for vulnerable repositories and launch exploits at scale.

Exploiting a Common Misconfiguration

The attack exploited the pull_request_target trigger in GitHub Actions. This feature automatically executes workflows in the main repository whenever a pull request is submitted—even from an untrusted fork. Because the action runs with full repository permissions and can access secrets like API keys and cloud credentials, it becomes a prime target for attackers when used without proper restrictions.

Developers often configure this trigger to automate testing or deployment for pull requests. However, the security documentation warns that using it on untrusted forks without additional safeguards can expose sensitive data. The prt-scan campaign took advantage of exactly this vulnerability.

Attack Methodology

The attacker's playbook began with scanning GitHub for repositories using the pull_request_target trigger. Once identified, the threat actor forked the repository, created a new branch, and injected malicious code disguised as a routine update—such as a dependency bump or minor bug fix. The pull request then automatically triggered the workflow, executing the payload on the repository's infrastructure.

Wiz researchers noted that the payload was sophisticated in design but flawed in execution. The attacker attempted a multi-stage credential theft process but made several technical errors that limited the success rate. For example, the payload relied on techniques that would rarely work in practice, such as incorrect permission assumptions and misaligned token scopes.

Despite these flaws, approximately 10% of the exploit attempts succeeded, resulting in dozens of compromises. Most successful attacks targeted small hobbyist projects, exposing only ephemeral GitHub credentials for the workflow run. However, at least two NPM packages were fully compromised, raising concerns about downstream supply chain risks for users of those packages.

Timeline and Scale

The campaign unfolded in a distinct pattern. The first phase, from March 11 to March 16, involved only 10 pull requests—likely a testing phase. Then after a nearly two-week pause, the attacker resumed activity on April 2 with an explosive burst: over 475 pull requests opened in just 26 hours. This sudden acceleration strongly suggests the use of AI-enabled automation to generate and submit pull requests at machine speed.

Wiz's analysis showed that the six attacker accounts were coordinated, often targeting different sets of repositories in parallel. The campaign appeared to be indiscriminate, hitting both small personal projects and larger open source efforts. The broad scope indicates that the attacker was primarily focused on volume rather than precision, hoping that a small percentage of attempts would yield useful credentials.

Second AI-Augmented Campaign

Prt-scan is the second such campaign in recent weeks. In late February, the "hackerbot-claw" campaign used similar techniques but was shorter and more targeted, focusing on high-profile repositories. That attack was less widespread but more successful per attempt, likely because the attacker invested more effort in crafting payloads for specific targets.

In contrast, prt-scan represents a shift toward mass automation. According to Wiz, this pattern demonstrates how low-sophistication attackers can now launch large-scale supply chain attacks with minimal effort, thanks to AI tools that can generate code, disguise payloads, and handle repetitive tasks like forking and submitting pull requests.

Implications for Open Source Security

The campaign highlights a growing risk in the open source ecosystem. GitHub hosts millions of repositories, many of which use CI/CD workflows that may be misconfigured. The pull_request_target vulnerability is well-documented, yet many developers remain unaware of or ignore the warnings.

Wiz recommends that organizations immediately audit their GitHub Actions configurations, especially for repositories that accept pull requests from external contributors. Key mitigation steps include: never using pull_request_target on untrusted forks without explicit approval; switching to pull_request trigger which runs in the context of the fork; and implementing manual review workflows for external contributions.

The security vendor also published indicators of compromise (IoCs) for the prt-scan campaign, including the attacker's GitHub account names, IP addresses used during the attacks, and hash values of malicious payloads. Organizations can use these IoCs to block any remaining active threats and to monitor for similar patterns in the future.

Broader Threat Landscape

The use of AI in cyberattacks is accelerating. While earlier AI-powered threats focused on phishing and social engineering, supply chain attacks like prt-scan show that attackers are now using AI to scale technical exploitation. The ability to automatically identify vulnerable configurations, craft malicious code, and launch attacks across hundreds of targets simultaneously represents a significant evolution in the threat landscape.

Security experts warn that this trend will continue. As AI tools become more accessible and capable, even low-skilled attackers can execute complex campaigns that previously required significant manual effort and expertise. For defenders, the challenge is not only to fix known vulnerabilities but also to prepare for a future where AI-driven attacks are routine.

In response, companies like GitHub are working on better default security settings and automated scanning for misconfigurations. However, the responsibility ultimately falls on developers and organizations to stay informed about best practices and to regularly audit their workflows for potential weaknesses.

The prt-scan campaign serves as a wake-up call for the open source community. As the attacker demonstrated, even a flawed but automated approach can compromise dozens of projects. With AI augmentation, the barrier to launching such attacks has never been lower, and the window for defenders to respond has never been shorter.

Source: Dark Reading News