A sophisticated supply chain attack leveraging artificial intelligence has targeted open source software repositories on GitHub, underscoring the growing ease with which threat actors can automate exploitation at scale. The campaign, tracked as PRT-scan by cloud security vendor Wiz, involved more than 450 exploitation attempts against repositories configured with a widely known but frequently misused GitHub Actions trigger. The activity was first detected on April 2 by security researcher Charlie Eriksen of Aikido Security, but subsequent analysis revealed that the attack began approximately three weeks earlier, on March 11, and unfolded in six distinct waves using six different GitHub accounts, all linked to a single threat actor.
The Nature of the Exploit
The attack centered on the pull_request_target workflow trigger in GitHub Actions. This trigger automatically executes workflows defined in the main repository whenever a pull request is submitted, even from an untrusted fork. Because the workflow runs with the full permissions of the target repository and can access its secrets, an attacker who injects malicious code into a pull request can steal API keys, cloud credentials, and other sensitive data. The misconfiguration is well documented and well understood within the developer community, yet it remains a common vulnerability, particularly in smaller or less rigorously maintained projects.
In the PRT-scan campaign, the attacker first scanned for repositories using the pull_request_target trigger. They then forked those repositories, created a new branch, hid malicious payloads inside what appeared to be routine code updates, and issued pull requests designed to trick the project's automated workflows into executing the malicious code. The payload was sophisticated in design but flawed in implementation, suggesting that the attacker did not fully understand GitHub's permissions model. Despite this, the campaign achieved a success rate of roughly 10%, resulting in dozens of compromises. The most notable successes involved the compromise of at least two NPM packages, though the attacker primarily gained access only to ephemeral credentials rather than persistent cloud API keys or production infrastructure.
A Second AI-Augmented Campaign
The PRT-scan campaign is the second in recent months to exhibit signs of AI-assisted automation targeting GitHub misconfigurations. It follows the late-February hackerbot-claw campaign, which used malicious pull requests exploiting the same pull_request_target feature to steal GitHub tokens, secrets, environment variables, and cloud credentials. The hackerbot-claw campaign was shorter and more targeted, hitting high-profile repositories. In contrast, PRT-scan was far broader, with the threat actor opening more than 500 pull requests targeting both small hobbyist projects and larger, more established ones, but with lower overall success against major targets.
The shift in tactics between the two campaigns highlights a rapid evolution in how threat actors are using AI to automate reconnaissance, target selection, and payload delivery. In the PRT-scan case, after an initial testing phase that lasted from March 11 to March 16 and involved only 10 pull requests, the attacker paused for nearly two weeks. Then, beginning April 2, over a 26-hour period, the attacker opened some 475 pull requests containing a sophisticated payload designed to steal credentials. This sudden acceleration in activity strongly indicates the use of AI-enabled automation, which allowed the attacker to scale up operations dramatically without proportional increases in manual effort.
Implications for Open Source Security
This campaign serves as a stark reminder that open source software supply chains remain a high-value target for attackers, and that automation tools—including AI—are lowering the barrier to entry for large-scale attacks. Even low-sophistication threat actors can now launch campaigns across hundreds of targets in a fraction of the time previously required. The ability to automatically scan for misconfigurations, fork repositories, generate plausible pull requests, and inject malicious code without human oversight means that supply chain attacks could become more frequent and harder to detect.
The broader takeaway for organizations is that security hygiene in GitHub environments must be strengthened. The pull_request_target trigger is inherently dangerous when used with untrusted forks unless strict controls are in place—such as requiring manual approval for workflow runs, scoping token permissions, or using GitHub's built-in security features like OIDC to avoid storing long-lived secrets. Wiz has urged organizations to review their GitHub Actions configurations and to adopt the principle of least privilege for workflow secrets. The security vendor also provided indicators of compromise (IoCs) for the PRT-scan campaign to help defenders identify and block similar activity.
Despite the flawed execution in many of the PRT-scan attempts, the campaign demonstrates that attackers are actively experimenting with AI to overcome traditional detection mechanisms. The use of multiple GitHub accounts, phased deployment, and payloads designed to evade static analysis all point to a more adaptive and automated threat landscape. As AI tools become more capable and accessible, the distinction between targeted attacks and broad opportunistic campaigns will blur, forcing the security community to develop new defensive strategies.
Historical Context and Evolution
Supply chain attacks are not new. Recent years have seen high-profile incidents involving SolarWinds, CodeCov, and the Kaseya ransomware attack, all of which leveraged trust relationships to infiltrate downstream customers. However, those attacks required significant manual effort and expertise. The emergence of AI-assisted automation marks a new phase in which simple code injection via pull requests can be scaled to thousands of targets with minimal human intervention. The pull_request_target misconfiguration has been known for years, but its exploitation at scale has only recently become viable due to AI-driven tooling.
Developers and security teams have long been advised to avoid using pull_request_target with untrusted forks unless absolutely necessary, and even then, to impose strict conditions. The PRT-scan and hackerbot-claw campaigns validate those recommendations. They also highlight the need for continuous monitoring of GitHub repositories for anomalous pull request activity, such as sudden bursts of PRs from unknown accounts or branches.
Wiz's analysis concluded that while the immediate impact of the PRT-scan campaign was relatively contained—mostly affecting small projects and exposing only short-lived credentials—the operational pattern signals a worrying trend. The attack chain—scanning for vulnerable targets, forking, embedding payloads, and automating PR submissions—can be replicated by any motivated actor with access to a large language model and basic scripting skills. As a result, organizations of all sizes must treat their GitHub repositories as critical infrastructure and apply security controls accordingly.
In response to the campaign, security researchers have called for GitHub to consider deprecating or tightening the default behavior of pull_request_target, or to introduce additional safeguards that make it harder for malicious pull requests to execute workflows without explicit approval. In the meantime, repository maintainers should audit their workflows, remove unnecessary triggers, and use the principle of least privilege for all secrets. They should also implement branch protection rules and require review from trusted collaborators before any workflow runs from forks.
The rise of AI-augmented supply chain attacks is not limited to GitHub; similar techniques could be applied to other code hosting platforms, package registries, and CI/CD systems. The security community must adapt by developing automated detection and response capabilities that can match the speed and scale of AI-driven threats. This includes deploying honeytokens, monitoring for anomalous patterns in pull request metadata, and sharing threat intelligence across organizations.
Source: Dark Reading News