A Second AI-Augmented Campaign Hits GitHub Repositories
A threat actor has leveraged AI-assisted automation to execute hundreds of exploitation attempts against open source software repositories on GitHub, according to analysis by cloud security vendor Wiz. The campaign, which Wiz tracks as prt-scan, represents the second known instance in recent months where an attacker appears to have used artificial intelligence to systematically target a well-documented GitHub misconfiguration at scale.
Wiz found that fewer than 10% of the more than 450 exploitation attempts it analyzed were successful. Despite that low success rate, the attacker still managed to compromise at least two NPM packages — a concerning outcome given the broader implications for software supply chain security.
Timeline and Discovery
The activity was first spotted on April 2 by Aikido Security researcher Charlie Eriksen. A follow-up investigation by Wiz, however, revealed that the campaign had actually begun roughly three weeks earlier, on March 11. It unfolded across six distinct waves, with six different GitHub accounts that researchers attributed to a single threat actor.
According to Wiz's analysis, the campaign started with what appeared to be a testing phase: the threat actor opened 10 malicious pull requests between March 11 and March 16. After a nearly two-week pause, the attacker resumed activity at a pace consistent with AI-enabled automation. Starting April 2, over a 26-hour period, the actor opened approximately 475 pull requests containing a sophisticated credential-stealing payload.
How the Attack Works
The attack exploits a well-understood GitHub misconfiguration involving the pull_request_target workflow trigger in GitHub Actions. This trigger automatically runs workflows within the main repository whenever a pull request is submitted — even from an untrusted fork. Because it executes with full repository permissions and has access to repository secrets, a malicious pull request can be weaponized to steal API keys, tokens, and other sensitive credentials.
Wiz noted that this misconfiguration is well-documented, making it a predictable target for automated scanning and exploitation.
The attacker's playbook in the prt-scan campaign followed a consistent pattern:
- Scan for repositories that use the pull_request_target trigger in GitHub Actions.
- Fork the targeted repository and create a new branch.
- Conceal malicious code within what appears to be a routine update.
- Submit a pull request to trick the project into automatically running the hidden code.
- Use that execution to steal sensitive data or deploy malware.
Comparison to the Earlier 'hackerbot-claw' Campaign
The prt-scan campaign follows the late-February campaign tracked as hackerbot-claw, which used malicious pull requests exploiting the same pull_request_target feature to steal GitHub tokens, secrets, environment variables, and cloud credentials. The two campaigns differ significantly in scope and precision.
The hackerbot-claw campaign was shorter in duration, more targeted in nature, and focused on high-profile repositories. By contrast, prt-scan cast a far wider net — the threat actor opened significantly more than 500 pull requests targeting both small and large projects on GitHub, though with considerably less success overall.
Flawed Execution Despite Ambitious Design
Despite the scale of the campaign, Wiz's researchers found that the attacker's implementation was riddled with mistakes. The payload's design was ambitious, but the execution revealed a fundamental misunderstanding of GitHub's permissions model.
"The attacker attempted a sophisticated multi-phase payload but filled it with techniques that feel illogical to an expert and would rarely work in practice," Wiz researchers wrote in a report published Saturday.
In most cases, successful attacks were against small hobbyist projects and only exposed ephemeral GitHub credentials tied to the workflow. As Wiz noted: "For the most part, this campaign did not grant the attacker access to production infrastructure, cloud credentials, or persistent API keys, barring minor exceptions."
The Bigger Warning: AI Is Lowering the Bar for Supply Chain Attacks
Even with a flawed approach and a sub-10% success rate, the prt-scan campaign resulted in dozens of compromises — a figure that underscores a troubling trend. Wiz warned that AI-augmented automation has fundamentally changed the economics of supply chain attacks.
Low-sophistication attackers can now launch new campaigns across hundreds of targets in a fraction of the time and with a fraction of the effort that such operations previously required. The barrier to entry for conducting large-scale supply chain attacks has dropped significantly, and the prt-scan campaign is a concrete example of that shift in practice.
Recommendations for Organizations
Wiz included indicators of compromise (IoCs) for the prt-scan campaign in its published report and urged organizations to take steps to harden their GitHub environments. Key defensive measures include reviewing and restricting the use of the pull_request_target trigger, ensuring that workflows triggered by external pull requests do not run with elevated permissions by default, and auditing repositories for any existing misconfigurations that could be exploited in a similar manner.
As AI continues to lower the barrier for automated, large-scale attacks, organizations maintaining open source repositories — regardless of size or prominence — should treat GitHub Actions security as a priority rather than an afterthought.
Source: Dark Reading