prt-scan

prt-scan is the name used by Wiz Research for a multi-wave supply chain threat actor campaign that exploited GitHub Actions workflows using the misconfigured pull_request_target trigger. Activity began on March 11, 2026 and continued through at least April 3, 2026 across six waves. The actor used multiple GitHub accounts, including testedbefore, beforetested-boop, 420tb, 69tf420, elzotebo, and ezmtebo, and opened well over 500 malicious pull requests, including more than 475 in 26 hours from ezmtebo. The attacker targeted repositories ranging from hobbyist projects to prominent organizations, searching for repositories using pull_request_target, forking them, creating branches named prt-scan-[12-hex-chars], modifying CI-executed files, and opening pull requests titled "ci: update build configuration." Observed payloads evolved from raw bash scripts to AI-generated, repository-aware wrappers tailored to Python, Node.js, Go, Rust, and GitHub Actions environments. Malicious code was injected into files such as conftest.py, package.json, Makefile, build.rs, action.yml, setup.py, Go test files, npm scripts, and existing Python files. The campaign used a five-stage structure: EXFIL, RECON, DISPATCH, LABEL_BYPASS, and DELAYED. It attempted to steal GITHUB_TOKEN values, dump environment variables and GitHub authentication material to workflow logs using gzip and base64 encoding, enumerate GitHub secrets metadata and organization secrets, inspect workflows, probe AWS, Azure, and GCP metadata endpoints, create and trigger temporary workflows on the default branch, apply labels to trigger label-gated workflows, scan /proc/*/environ for secrets, and exfiltrate data through workflow logs and pull request comments. When NPM_TOKEN values were found, the actor attempted to publish malicious npm package versions. Wiz assessed the actor as low sophistication despite the scale and automation, because the payloads frequently misunderstood GitHub’s permission model and several techniques were ineffective under typical token permissions. Wiz observed a success rate below 10% across more than 450 analyzed exploit attempts, with most successful attacks affecting small hobbyist projects and usually exposing ephemeral GitHub workflow credentials. High-value targets including Sentry, OpenSearch, IPFS, NixOS, Jina AI, and recharts reportedly blocked the attacks through contributor approval gates, actor-restricted workflows, and path-based trigger conditions. Wiz confirmed compromise of at least two npm packages, @codfish/eslint-config and @codfish/actions, across 106 versions, and observed verified credential theft involving AWS keys, Cloudflare API tokens, and Netlify auth tokens. The campaign is notable for AI-assisted automation lowering the barrier for large-scale software supply chain attacks against GitHub CI/CD workflows.