Vulnerabilities

AI-Driven Supply Chain Attack Compromises 500 GitHub Repositories in Six-Week Campaign

April 7, 2026 / 4 Min Read

AI-Driven Supply Chain Attack Compromises 500 GitHub Repositories in Six-Week Campaign

A six-week supply chain attack against GitHub repositories exposed credentials from hundreds of organisations before security researchers detected it in April 2026. The campaign, dubbed prt-scan by Wiz Research, targeted the pull_request_target workflow trigger and successfully compromised secrets from at least 50 repositories including AWS keys, Cloudflare API tokens and Netlify authentication credentials.

According to Wiz Research, the earliest attack began on 11 March 2026, three weeks before public disclosure. The threat actor cycled through six GitHub accounts and opened more than 500 malicious pull requests, evolving from basic bash scripts to AI-generated language-aware payloads that adapted to different technology stacks without human intervention.

This represents a meaningful shift in supply chain attack methodology. What previously required manual reconnaissance and custom payload development can now be executed at machine speed across hundreds of targets simultaneously.

The 10% Success Rate Adds Up to Dozens of Compromises

The campaign’s technical approach was straightforward. Submit pull requests titled “ci: update build configuration” to repositories using vulnerable GitHub Actions workflows. Each malicious PR contained a five-phase payload that extracted environment variables, scanned for high-value secrets, attempted to bypass security labels and ran background processes to catch credentials injected by later CI steps.

The attack exploited GitHub’s pull_request_target trigger which runs workflows with the base repository’s full permissions rather than the restricted permissions typically applied to forked PRs. SafeDep analysts confirmed that the payload worked by injecting temporary workflows and auto-applying labels to bypass pull_request_target security gates.

While the campaign’s 10% success rate might appear modest, Wiz Research notes that across approximately 500 attempts, this translates to dozens of successful compromises. The attackers targeted everything from single-developer hobby repositories to major projects including those from SAP and Svelte.

No External Infrastructure Made Network Detection Impossible

One design choice made the campaign particularly difficult to detect, no attacker-controlled servers were ever contacted. All credential exfiltration happened through GitHub’s own API or link-local cloud metadata endpoints. SafeDep confirmed that stolen data was posted as PR comments via the GitHub API, compressed and wrapped in ==PRT_DELAYED_START_== markers.

This approach renders network-based detection useless. All traffic flows to api.github.com which appears legitimate to monitoring systems. The attackers’ operational security improved across each wave with later phases showing more sophisticated evasion techniques and better payload construction.

AI-powered code review bots including CodeRabbit, Sourcery and Qodo caught the malicious PRs consistently according to SafeDep’s analysis. However, traditional automated review systems including Codacy missed the attacks entirely while some review bots actually gave the malicious PRs legitimacy by assigning reviewers and applying triage labels.

The Campaign Connected to Broader 2025 Supply Chain Attacks

The prt-scan attack appears connected to a broader pattern of GitHub-focused supply chain compromises throughout 2025. Palo Alto Networks Unit 42 documented how the tj-actions/changed-files compromise in March 2025, which affected more than 23,000 repositories, began with a similar attack on reviewdog/action-setup that propagated through dependency relationships.

That incident exposed CI/CD secrets in public build logs and ultimately contributed to a breach at Coinbase affecting nearly 70,000 customers according to a CISA advisory on CVE-2025-30066. The pattern suggests attackers have identified GitHub Actions as a high-value target for automated credential harvesting at scale.

Silobreaker’s 2025 supply chain analysis concluded that threat actors shifted toward “highly targeted developer compromises, CI/CD manipulation and social-engineering-driven access” throughout the year. The prt-scan campaign represents the automation of techniques that were previously manual and labour-intensive.

Check for Compromise Markers Before Friday

Organisations should audit their GitHub repositories immediately for branches matching the pattern prt-scan-[12-character-hex] and pull requests titled “ci: update build configuration”. SafeDep recommends checking workflow run logs for PRT_EXFIL_START or PRT_RECON_START markers which indicate successful credential extraction.

If compromise markers are found, treat all CI secrets as exposed and rotate them without delay. This includes AWS access keys, npm tokens, Docker registry credentials and any API tokens accessible to GitHub Actions workflows. The background scanner component of the attack specifically targeted 22 high-value secret types including NETLIFY, STRIPE, OPENAI and ANTHROPIC tokens.

The immediate technical fix is to restrict pull_request_target workflows to approved contributors only and enforce strict first-time contributor approval gates. However, the broader lesson is that AI-assisted automation has fundamentally lowered the barrier to large-scale supply chain attacks. Manual review processes that worked against individual attackers will not scale against machine-generated campaigns targeting hundreds of repositories simultaneously.