A sophisticated supply chain attack leveraging artificial intelligence has targeted GitHub repositories, marking the second such campaign in recent months. Security researchers discovered that a threat actor used AI-enabled automation to launch hundreds of exploit attempts against open source software projects hosted on the platform. The campaign, designated prt-scan, aimed to steal credentials and tokens by exploiting a well-known misconfiguration in GitHub Actions workflows.

The attacker focused on repositories configured with the pull_request_target trigger, a feature that automatically runs workflows when a pull request is submitted, even from untrusted forks. This misconfiguration grants the workflow full repository permissions and access to secrets, making it a prime target for exploitation. Over a period of several weeks, the threat actor opened more than 500 malicious pull requests across both small hobbyist projects and larger repositories.

Campaign Timeline and Methodology

The operation began on March 11, 2026, with an initial testing phase where the attacker opened 10 malicious pull requests. This phase continued through March 16, after which the activity paused for nearly two weeks. Then, starting April 2, the attacker resumed operations at a significantly higher velocity, opening approximately 475 pull requests over a 26-hour period. The speed and consistency of these actions suggested the use of AI-augmented automation to scan for vulnerable repositories, fork them, inject malicious code, and submit pull requests automatically.

The attacker's playbook involved identifying repositories using the pull_request_target trigger, forking those repositories, creating a branch, and hiding malicious code within what appeared to be routine updates. The payload was designed to steal GitHub tokens, environment variables, and cloud credentials. However, despite the ambitious design, the implementation contained several logical flaws that limited its effectiveness. Researchers noted that the attacker did not fully understand GitHub's permissions model, leading to a sloppy execution that rarely worked in practice.

Success Rate and Impact

Out of more than 450 exploitation attempts analyzed, fewer than 10% succeeded. The successful attacks primarily compromised small hobbyist projects, exposing ephemeral GitHub workflow credentials rather than persistent production infrastructure or cloud access. In at least two cases, the attacker managed to compromise NPM packages. The limited success rate suggests that while AI enabled the attacker to scale operations rapidly, the lack of deep technical understanding prevented widespread damage.

This campaign follows the late-February hackerbot-claw operation, which also exploited the pull_request_target misconfiguration but was more targeted and hit high-profile repositories. In contrast, prt-scan was broader in scope, targeting a larger number of projects with less precision. The contrast between the two campaigns illustrates the evolving use of AI in cyberattacks, where automation allows even low-sophistication threat actors to launch large-scale supply chain attacks.

Implications for Software Security

The emergence of AI-assisted automation in supply chain attacks represents a significant shift in the threat landscape. Previously, such campaigns required manual effort and deep knowledge of GitHub workflows. Now, attackers can use AI to scan for misconfigurations, generate malicious payloads, and execute attacks across hundreds or thousands of targets simultaneously. This lowers the barrier to entry for threat actors and increases the frequency and scale of potential breaches.

Organizations that rely on open source software must urgently review their GitHub Actions configurations, particularly any use of pull_request_target on untrusted pull requests. Security hardening measures include restricting workflow permissions, avoiding the use of secrets in workflows triggered by forked pull requests, and implementing manual approval gates. The prt-scan campaign demonstrates that even flawed automated attacks can achieve some success, and that visibility into repository activity is essential for early detection.

Beyond individual repositories, the broader software supply chain is at risk. As AI tools become more accessible, security researchers anticipate a rise in similar campaigns targeting continuous integration and delivery pipelines. The open source community must collaborate to develop automated detection mechanisms and share indicators of compromise to mitigate these emerging threats.

Source: Dark Reading News