AI-Assisted GitHub Actions Campaign Exploited `pull_request_target` to Steal Secrets
Researchers reported that the prt-scan campaign abused misconfigured GitHub Actions workflows using the pull_request_target trigger to run attacker-controlled code from forked pull requests in privileged CI contexts. The actor used at least six GitHub accounts to submit more than 500 malicious pull requests across six waves, disguising many as routine CI updates and tailoring payloads to Python, Node.js, Go, Rust, and GitHub Actions repositories. Wiz said the operation evolved from simple bash payloads into AI-assisted, repository-aware implants designed to steal GITHUB_TOKEN values, enumerate secrets, probe cloud metadata services, and exfiltrate credentials through workflow logs and pull request comments.
The campaign succeeded often enough to cause real supply-chain impact despite an estimated success rate below 10%. Wiz confirmed compromise of the npm packages @codfish/eslint-config and @codfish/actions across 106 versions, and verified theft of AWS keys, Cloudflare API tokens, and Netlify authentication tokens. High-profile projects including Sentry, OpenSearch, IPFS, NixOS, Jina AI, and recharts reportedly blocked the attempts through contributor approval gates and workflow restrictions. The activity follows earlier warnings from Sysdig that insecure use of pull_request_target in prominent repositories such as MITRE, Splunk, and Spotipy could expose secrets and high-privilege GITHUB_TOKEN permissions, underscoring that unsafe GitHub Actions defaults remain an active software supply-chain risk.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
8 events from the most recent confirmed update back to the earliest known activity.
Attacker compromises two npm packages during prt-scan
During the campaign, the attacker successfully compromised the npm packages @codfish/eslint-config and @codfish/actions across 106 versions. Wiz also verified theft of credentials including AWS keys, Cloudflare API tokens, and Netlify auth tokens.
Wiz publicly discloses the prt-scan campaign
Wiz Research published details of the prt-scan campaign, describing six waves of attacks from March 11 through early April 2026 and attributing them to one actor using six GitHub accounts. The disclosure highlighted AI-assisted, repository-aware payloads and a success rate below 10% despite real compromises.
prt-scan campaign spikes with 475+ pull requests in 26 hours
On April 2, 2026, the GitHub account ezmtebo submitted more than 475 malicious pull requests in a 26-hour burst as part of the prt-scan campaign. The wave was part of a broader operation that exceeded 500 malicious pull requests overall.
prt-scan campaign begins targeting GitHub repositories
A threat actor began the prt-scan supply chain campaign on GitHub, exploiting repositories with misconfigured pull_request_target workflows to steal tokens, secrets, and cloud credentials. Wiz linked the activity to a single actor operating through multiple GitHub accounts.
Splunk patches vulnerable workflow in security_content repository
Splunk patched the insecure GitHub Actions workflow in its security_content repository, though the report says it did not acknowledge the disclosure. The vulnerable configuration exposed privileged workflow execution to untrusted pull request code.
MITRE remediates vulnerable GitHub Actions workflow
MITRE remediated the vulnerable workflow in its mitre-attack/car repository after Sysdig's disclosure. The flaw allowed untrusted forked pull request code to execute in a privileged CI context.
Spotipy fixes vulnerable workflow and assigns CVE-2025-47928
After disclosure of the insecure GitHub Actions issue, the Spotipy project remediated its vulnerable workflow and assigned CVE-2025-47928 to the flaw. The issue involved unsafe use of pull_request_target that could expose secrets and privileged GitHub token access.
Sysdig identifies insecure GitHub Actions in major open-source repositories
Sysdig Threat Research Team found multiple high-profile open-source repositories vulnerable to insecure GitHub Actions workflows, primarily involving misuse of the pull_request_target trigger that allowed untrusted pull request code to run in privileged contexts. The researchers demonstrated compromise paths in repositories including spotipy-dev/spotipy, mitre-attack/car, and splunk/security_content.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
5 references tracked. Mallory keeps watching after this page renders.
New GitHub Actions Attack Chain Uses Fake CI Updates to Exfiltrate Secrets and Tokens
cybersecuritynews.com
Open sourceAI-Assisted Supply Chain Attack Targets GitHub
darkreading.com
Open sourceprt-scan: AI-Powered GitHub Actions Supply Chain Attack | Wiz Blog
ramimac.me
Open sourceprt-scan: AI-Powered GitHub Actions Supply Chain Attack | Wiz Blog
wiz.io
Open sourceDangerous by default: Insecure GitHub Actions found in MITRE, Splunk, and other open source repositories | Sysdig
webflow.sysdig.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Compromised GitHub Actions tags exfiltrated CI/CD secrets from runners
Threat actors compromised the popular GitHub Actions repositories `actions-cool/issues-helper` and `actions-cool/maintain-one-comment` by moving version tags to imposter commits outside the normal commit history, causing workflows that referenced those tags to fetch and run malicious code. Researchers said the payload downloaded the **Bun** JavaScript runtime, read memory from the GitHub Actions `Runner.Worker` process to recover decrypted secrets, and exfiltrated the data over HTTPS to the attacker-controlled domain `t.m-kosche[.]com`; workflows pinned to a known-good full commit SHA were not affected. GitHub later disabled access to the repository for a terms-of-service violation, while StepSecurity added the action to its Compromised Actions Policy and blocked the exfiltration domain through Harden-Runner. The incident highlights a broader GitHub Actions supply-chain risk in which CI/CD trust can be subverted through mutable references and weak integrity controls. Separate research showed that a modified Maven wrapper in a pull request could achieve code execution on GitHub-hosted runners and, if merged, later expose release secrets such as Maven publishing credentials and GPG material, underscoring the need for checksum validation on wrapper scripts and immutable pinning to trusted commit SHAs for third-party actions. StepSecurity also linked the same exfiltration infrastructure to the recent **Mini Shai-Hulud** activity targeting npm packages in the `@antv` ecosystem, suggesting the GitHub Actions compromise may be part of a wider supply-chain campaign.
May 19, 2026Backdoored `tj-actions/changed-files` GitHub Action Leaked CI Secrets from Workflow Logs
The widely used GitHub Action **`tj-actions/changed-files`** was compromised after an attacker gained write access to the repository and retargeted release tags to a malicious orphaned commit, causing workflows pinned to tags rather than immutable SHAs to run attacker-controlled code. The backdoor downloaded and executed a remote payload that scraped decrypted GitHub Actions secrets from process memory and printed them into workflow logs, exposing repositories that executed the action and creating acute risk for public projects where logs were openly accessible. The incident was detected after anomalous outbound network activity was observed, and the maintainer removed the malicious changes soon afterward. Follow-on analysis found the blast radius was substantial because the action was referenced across roughly **23,000 repositories** and many workflows were not pinned to a full commit hash. GitGuardian reported that among workflows executed during the compromise window, hundreds showed signs of exploitation and **603 secrets** were exposed in logs, including temporary GitHub tokens, DockerHub credentials, AWS keys, GitHub personal access tokens, Jira tokens, and cloud.gov credentials. Organizations using the action were urged to review workflow runs from March 14 onward, delete affected logs, rotate any exposed credentials, audit dependencies and commits, and pin third-party GitHub Actions to full commit SHAs to reduce future supply-chain risk.
May 27, 2026
Megalodon GitHub Supply Chain Attack Injected Malicious Actions into 5,561 Repos
Researchers disclosed a large-scale automated supply chain attack dubbed **Megalodon** that pushed **5,718 malicious commits** into **5,561 GitHub repositories** in less than six hours, using forged CI/CD bot identities and benign-looking commit messages to slip in malicious GitHub Actions workflow files. The workflows requested elevated permissions and carried base64-encoded bash payloads that executed after maintainers merged the changes, harvesting CI/CD environment data, cloud credentials, SSH keys, Docker and Kubernetes secrets, Vault and Terraform credentials, GitHub OIDC tokens, and other source-code and developer secrets. Investigators said the stolen data was exfiltrated over HTTP POST requests to **`216.126.225[.]129:8443`**, with two workflow variants observed, including payloads labeled **SysDiag** and **Optimize-Build**. The most visible downstream impact was a compromise of the **Tiledesk** repository, where a malicious workflow change led to the publication of poisoned **`@tiledesk/tiledesk-server`** npm versions **`2.18.6`** through **`2.18.12`**. Reporting tied the activity to a broader pattern of software supply chain abuse associated with **TeamPCP**, whose earlier incidents affected major open-source and commercial projects and prompted npm to invalidate some write-capable granular access tokens that could bypass 2FA protections. Security firms urged organizations to review repositories for unauthorized workflow changes, block the identified command-and-control infrastructure, rotate exposed secrets and keys, and inspect cloud and CI logs for signs of credential theft or cloud impersonation.
Jun 5, 2026