A novel attack strategy is currently impacting open-source repositories on GitHub by cleverly disguising harmful code as typical CI build configuration updates. This campaign, known as prt-scan, exploits a commonly misused GitHub Actions workflow trigger to exfiltrate sensitive tokens, credentials, and cloud secrets from developers who unwittingly activate the deceptive pull requests.
Details of the Attack Campaign
The attack surfaced on March 11, 2026, when a threat actor using the GitHub account ‘testedbefore’ began submitting malicious pull requests to smaller repositories. Over the subsequent weeks, the attacker utilized six different GitHub accounts, cumulatively initiating over 500 malicious PRs. These fraudulent PRs were consistently titled “ci: update build configuration,” which made them appear harmless and easy to overlook.
The campaign saw a significant increase on April 2, 2026, as security researcher Charlie Eriksen publicly highlighted the activity. The account ‘ezmtebo’ alone submitted more than 475 malicious PRs within a 26-hour period. Wiz Research analysts traced the operation back three weeks prior to any public reports, identifying six separate waves of activity from the same threat actor.
Impact and Methodology
Researchers Rami McCarthy, Hila Ramati, Scott Piper, and Benjamin Read confirmed that the attacker successfully compromised at least two npm packages — @codfish/eslint-config and @codfish/actions — across 106 package versions. Verified thefts included AWS keys, Cloudflare API tokens, and Netlify authentication tokens. High-profile targets like Sentry, OpenSearch, and NixOS managed to thwart the attacks through stringent contributor approval controls.
This campaign is distinguished by its use of AI-powered automation, which enables the attacker to adapt to various targets seamlessly. The AI-driven tools fork repositories, analyze tech stacks, and inject payloads into the appropriate files for each programming language. This automation has lowered the technical barrier, allowing even less sophisticated attackers to conduct large-scale supply chain attacks at unprecedented speeds.
Defensive Measures and Recommendations
Despite its extensive reach, the campaign’s overall success rate was below 10% across over 450 analyzed exploits. Most effective hits impacted small hobbyist projects, revealing only temporary GitHub workflow tokens. Nonetheless, with over 500 total attempts, even a 10% success rate can yield numerous actual breaches. The attacker continuously refined their payloads and improved evasion tactics with each new wave.
The attack exploits the pull_request_target trigger in GitHub Actions, which operates entirely within the base repository’s context, granting full access to its secrets. Repositories that do not restrict this trigger to verified contributors are at risk. The malicious PR initiates a five-phase operation, starting with extracting the GITHUB_TOKEN and encoding it in workflow logs for later retrieval.
Organizations are advised to audit their GitHub repositories for compromise indicators such as branches labeled prt-scan-[12-character-hex], PRs titled “ci: update build configuration,” and specific workflow log markers. Administrators should limit pull_request_target triggers to approved contributors, enforce strict approval processes for first-time contributors, and implement actor-restricted or path-based workflow trigger conditions. Any exposed credentials, including AWS keys and cloud API tokens, should be rotated immediately.
Stay informed about the latest updates by following us on Google News, LinkedIn, and X, or set CSN as your preferred source on Google.
