A recent supply chain attack has demonstrated how threat actors are increasingly leveraging artificial intelligence to automate and scale exploitation of common misconfigurations in software development platforms. The campaign, which targeted GitHub repositories, involved over 450 exploit attempts aimed at stealing credentials and secrets from projects using the pull_request_target workflow trigger.
Security researchers first detected the activity on April 2, but subsequent analysis revealed it began nearly three weeks earlier, on March 11. The attacker executed the campaign in six distinct waves, using six different GitHub accounts that were linked to a single threat actor. The operation is the second in as many months where AI-assisted automation was used to systematically probe for the same vulnerability, following a late-February campaign known as "hackerbot-claw."
How the Attack Worked
The pull_request_target trigger in GitHub Actions is designed to run workflows automatically when a pull request is created, even if the request originates from an untrusted fork. When properly configured, this feature can streamline development workflows. However, if used without restrictions, it grants workflows full repository permissions and access to stored secrets—making it a prime target for attackers.
In the prt-scan campaign, the attacker first scanned GitHub for repositories that had enabled pull_request_target without adequate safeguards. They then forked those repositories, created a new branch, and injected malicious code disguised as a routine update. The malicious payload was designed to steal GitHub tokens, environment variables, cloud credentials, and other sensitive data when the workflow executed automatically.
Unlike the earlier hackerbot-claw campaign, which focused on high-profile repositories and shorter attack windows, prt-scan was significantly broader. The attacker targeted both small hobbyist projects and larger open-source initiatives, opening well over 500 pull requests. Despite the wide net, fewer than 10% of the exploitation attempts succeeded—however, that still amounted to dozens of compromised repositories.
AI-Augmented Automation: A New Threat Vector
The most concerning aspect of the prt-scan campaign is the apparent use of AI to automate the targeting and exploitation process. Researchers observed a dramatic acceleration in attack velocity after an initial testing phase. From March 11 to March 16, the attacker opened only 10 malicious pull requests. After a two-week hiatus, activity resumed with a surge: over a 26-hour period starting April 2, the attacker opened approximately 475 pull requests containing a sophisticated credential-stealing payload.
This pattern suggests the attacker used automated scripts—likely enhanced by generative AI or large language models—to rapidly generate and deploy malicious pull requests across hundreds of targets. Such AI augmentation reduces the time and effort required to launch large-scale supply chain attacks, enabling even low-sophistication threat actors to execute campaigns that would have previously been impractical.
A Flawed but Effective Playbook
Despite the ambitious design of the payload, security researchers noted that the actual attack implementation contained significant flaws. The multi-phase payload attempted to steal credentials in a complex but poorly executed manner, reflecting a misunderstanding of GitHub's permission model. Some techniques used by the attacker were described as "illogical" by experts and unlikely to work in practice.
Nonetheless, the flawed approach still yielded positive results. The attacker successfully compromised at least two NPM packages and exfiltrated secrets from dozens of projects. In most cases, only ephemeral GitHub credentials tied to workflow runs were exposed, limiting access to production infrastructure or persistent API keys. However, even limited credential exposure can be leveraged for further attacks, including account takeover or lateral movement.
Evolution of the Attack: From Testing to Automation
The attacker's behavior evolved throughout the campaign. The initial phase (March 11-16) appears to have been a testing period, with only a handful of pull requests submitted to validate the attack chain. After a nearly two-week pause, the attacker resumed operations with a much higher tempo, indicating they had refined their methodology and deployed automated tools.
Researchers identified the six GitHub accounts used in the campaign and confirmed they were all controlled by the same actor through overlapping infrastructure and code patterns. The accounts were registered shortly before the campaign began and exhibited similar behaviors, including the use of identical commit messages and file structures. This level of coordination further supports the conclusion that the attack was automated and AI-assisted.
Implications for Open-Source Security
The prt-scan campaign highlights a growing trend: attackers are using AI to lower the barrier to entry for complex supply chain attacks. Instead of manually crafting exploits for individual targets, they can now automate reconnaissance, exploit development, and delivery at scale. Open-source projects that rely on GitHub Actions without proper security controls are particularly vulnerable.
Developers and maintainers should review their use of the pull_request_target trigger and ensure that workflows do not run with elevated permissions on untrusted pull requests. Best practices include using the pull_request trigger instead when possible, applying strict access controls, and avoiding the use of repository secrets in automated workflows that execute code from forks. Security vendors have shared indicators of compromise for the prt-scan campaign and urged organizations to audit their GitHub environments.
This incident also underscores the importance of monitoring for unusual activity, such as a sudden influx of pull requests from unknown accounts, and implementing automated defenses that can detect and block malicious submissions before they execute. As AI continues to evolve, the speed and scale of such attacks will only increase, making proactive security measures essential for all organizations that rely on collaborative development platforms.
Source: Dark Reading News