A sophisticated new attack campaign has demonstrated how artificial intelligence can supercharge supply chain attacks against open source software repositories on GitHub. The campaign, dubbed 'prt-scan' by cloud security vendor Wiz, involved the automated opening of over 450 malicious pull requests targeting repositories configured with the pull_request_target workflow trigger. This trigger, when misconfigured, can grant attackers access to sensitive credentials and tokens stored in the repository.
The attacker's primary objective appears to have been credential theft and compromise of npm packages. According to Wiz, the campaign began on March 11, 2026, and unfolded in six distinct waves. The first few weeks involved limited testing, but starting April 2, the attacker dramatically accelerated the pace, opening nearly 475 pull requests within a 26-hour period. This velocity strongly suggests the use of AI-assisted automation to generate and target the malicious pull requests at scale.
Understanding the Pull_Request_Target Vulnerability
The pull_request_target trigger is a GitHub Actions feature that automatically runs workflows in the main repository whenever a pull request is submitted, even from an untrusted forked branch. When used without proper safeguards—such as restricting secrets or requiring manual approval—this trigger can be exploited by attackers. A malicious pull request can contain code that executes within the main repository's context, giving the attacker access to repository secrets, environment variables, and cloud credentials.
This misconfiguration is well-documented, yet many open source projects remain vulnerable. The prt-scan campaign specifically targeted repositories using this trigger, scanning for them with automated tools before forking and submitting malicious pull requests. The attack chain involved hiding malicious code inside what appeared to be routine updates, tricking the workflow into running it automatically.
Comparison with the Hackerbot-Claw Campaign
The prt-scan campaign is the second major AI-augmented supply chain attack targeting this GitHub feature in recent months. In late February 2026, a similar but shorter campaign known as 'hackerbot-claw' was identified. That campaign was more targeted, hitting high-profile repositories and achieving a higher success rate in stealing tokens and cloud credentials. In contrast, prt-scan was broader in scope but less precise. The attacker opened far more pull requests—over 500 in total—but only compromised a small number of low-traffic hobbyist projects.
According to Wiz, while hackerbot-claw focused on well-known repos with potentially valuable secrets, prt-scan cast a wide net. This difference in strategy may reflect the attacker's use of AI to scale operations, trading off accuracy for volume. The result was a higher number of attempted exploits but limited tangible gains for the attacker.
Flawed Attack Implementation
Despite the sophisticated use of AI for targeting, the actual attack payload and execution were surprisingly flawed. Wiz researchers noted that the attacker attempted a complex multi-phase payload but filled it with techniques that an experienced GitHub administrator would easily recognize as illogical. For example, the payload tried to access permissions and secrets that were unlikely to be available on most repositories, and the code had several syntax errors and logical inconsistencies.
This suggests that while AI was used to generate the initial targeting and possibly the payload structure, the attacker may not fully understand GitHub's permissions model. As a result, the success rate remained low—around 10% of the 450+ attempts. However, even that modest success rate translates to dozens of compromised repositories, including two npm packages that were modified to include malicious code.
Implications for Supply Chain Security
The prt-scan campaign underscores a growing concern among security professionals: the democratization of supply chain attacks via AI. Low-sophistication attackers can now launch large-scale campaigns across hundreds of targets in a fraction of the time and with a fraction of the effort previously required. Instead of manually crafting exploit code for each target, attackers can use AI to generate malicious pull requests or other attack vectors en masse.
This trend is not limited to GitHub workflows. Similar AI-assisted attacks have been observed against other platforms, such as RubyGems, where attackers used automated techniques to insert malicious gems into the supply chain. The use of AI reduces the barrier to entry for cybercriminals, making it easier for them to target the open source ecosystem that underpins modern software development.
Organizations relying on open source components must take proactive steps to harden their GitHub environments. Security experts recommend disabling the pull_request_target trigger on public repositories unless absolutely necessary, and if used, employing strict approval processes and limiting secret access. Additional measures include using read-only tokens, implementing secret scanning, and monitoring for anomalous pull request patterns.
The Wiz report includes indicators of compromise (IoCs) for the prt-scan campaign, including the GitHub accounts used and the malicious code samples. Organizations can use these IoCs to scan their repositories for signs of compromise. However, the broader lesson remains: as AI tools become more accessible, supply chain attacks will likely increase in frequency and scale.
Background on GitHub Actions Security
GitHub Actions is a popular CI/CD platform that allows developers to automate workflows, including building, testing, and deploying code. Its flexibility comes from triggers that can respond to various GitHub events, such as pull requests. The pull_request_target trigger was designed to run workflows with full repository permissions, making it useful for tasks like merging code or deploying to production. However, its very power makes it a prime target for attackers.
Since its introduction, there have been multiple documented abuse cases. In 2023, researchers demonstrated how the trigger could be exploited to leak secrets from popular repositories. The open source community has since adopted best practices, such as replacing pull_request_target with pull_request where possible, or using environment-specific secrets. Despite these efforts, many repositories, especially smaller ones, remain vulnerable.
The prt-scan campaign reveals that attackers are not only aware of this misconfiguration but are actively using AI to identify and exploit it at scale. This represents an evolution from earlier attacks that were more manual and opportunistic. The automation of reconnaissance and exploit delivery changes the threat landscape, requiring defenders to adopt similarly automated security measures.
Wiz's investigation highlighted that while the prt-scan attacker's technique was flawed, the successful exploitation of even a few repositories can have cascading effects. For example, if a compromised npm package is used as a dependency by other projects, the attack could propagate rapidly. This supply chain risk is compounded by the fact that many organizations do not regularly audit their dependencies for malicious code.
To mitigate these risks, security teams should implement dependency scanning tools, enforce least-privilege principles on CI/CD workflows, and train developers on secure GitHub configuration practices. Regular audits of workflow triggers and permissions can help identify misconfigurations before attackers exploit them.
The emergence of AI-assisted attacks like prt-scan signals a new era in supply chain security. Defenders must adapt by leveraging AI for threat detection and response, while also reinforcing fundamental security hygiene. The open source community, including platform providers like GitHub, must continue to improve default security settings and provide clearer warnings about risky configurations. As the line between human and machine-generated attacks blurs, the software supply chain's integrity depends on collective vigilance.
Source: Dark Reading News