A sophisticated new cyberattack campaign is actively targeting open-source projects on GitHub, exploiting a critical vulnerability in its Actions workflow automation to exfiltrate sensitive secrets and tokens. The campaign, dubbed “prt-scan,” disguises malicious code as routine CI build configuration updates, tricking developers into approving pull requests that compromise valuable credentials.
The attack, first observed on March 11, 2026, involves threat actors submitting numerous fraudulent pull requests to various repositories. These requests, consistently titled “ci: update build configuration,” are designed to appear innocuous, making detection difficult. Security researchers later identified that the attack had been ongoing for weeks before public disclosure, with a significant surge occurring on April 2, 2026, when a single actor submitted hundreds of malicious requests in a short period.
New GitHub Actions Attack Chain Leverages Fake CI Updates for Data Theft
The prt-scan campaign’s ingenuity lies in its automation and adaptability. Threat actors are reportedly using AI-powered tools to fork repositories, analyze their specific technology stacks, and inject malicious payloads into the most appropriate files for each language or framework. This allows for a highly targeted approach, compromising Go test files in Go projects, `conftest.py` in Python projects, and `package.json` scripts in Node.js projects, among others.
While the overall success rate across analyzed exploit attempts remained low, reportedly below 10%, the sheer volume of attacks means dozens of real compromises are likely. The most successful targets have been smaller, hobbyist projects, often yielding temporary GitHub workflow tokens. However, the attacker’s continuous refinement of payloads and evasion techniques suggests a persistent and evolving threat to the software supply chain.
Wiz Research analysts have confirmed the compromise of at least two npm packages, `@codfish/eslint-config` and `@codfish/actions`, across numerous versions. Verified compromises include the theft of AWS keys, Cloudflare API tokens, and Netlify authentication tokens. While some high-profile targets, such as Sentry, OpenSearch, and NixOS, successfully blocked these attacks due to robust contributor approval controls, many smaller projects remain vulnerable.
Understanding the Technical Exploitation of GitHub Actions
The core of the prt-scan attack exploits the `pull_request_target` trigger within GitHub Actions. This trigger differs significantly from the standard `pull_request` trigger in that it executes within the context of the base repository, not the forked repository. Consequently, it grants full access to repository secrets, even when the pull request originates from an untrusted external source.
Organizations that fail to restrict the `pull_request_target` trigger to verified contributors are particularly susceptible to this threat. When a vulnerable workflow is triggered by a malicious pull request, the embedded payload initiates a multi-phase operation designed for data exfiltration.
The initial phase involves extracting the `GITHUB_TOKEN` from the Git configuration. This token is then compressed, base64-encoded, and written to the workflow logs, making it accessible to the threat actor. The subsequent phases leverage the stolen token to interact with the GitHub API, mapping out secret names, deployment environments, and workflow configuration files.
Simultaneously, the attack probes cloud metadata endpoints for AWS, Azure, and Google Cloud credentials. A background daemon continuously monitors the Linux `/proc` filesystem for any secrets loaded by subsequent job steps, capturing and posting this sensitive information directly into pull request comments. This method ensures the data remains accessible even if workflow logs are subsequently cleared.
Mitigation and Future Outlook for Open Source Security
To protect against this attack chain, organizations are advised to conduct immediate audits of their GitHub repositories. Key indicators of compromise include branches matching the pattern `prt-scan-[12-character-hex]` and pull requests bearing the title “ci: update build configuration.” Workflow log markers such as `==PRT_EXFIL_START_[nonce]==` can also signal an attempted exfiltration.
Essential mitigation strategies include restricting the `pull_request_target` trigger to approved contributors only. Enforcing strict first-time contributor approval gates and applying actor-restricted or path-based workflow trigger conditions are also critical steps. Any exposed credentials, including AWS keys, NPM tokens, and cloud API tokens, must be rotated without delay.
The prt-scan campaign highlights the evolving sophistication of supply chain attacks and the paramount importance of robust security practices within open-source development ecosystems. As attackers increasingly leverage automation and AI, developers and organizations must remain vigilant, continuously updating their security postures and actively monitoring for suspicious activity. The ongoing refinement of these attack vectors suggests that similar threats will continue to emerge, demanding proactive defense mechanisms and a commitment to secure coding practices across the industry.