Find notable cyber news and cases, enriched with sources, timelines, and signals.

Prt-scan GitHub pull_request_target supply-chain campaign

Campaign
First reported
Last updated
Happening score
H score 45
1 unique sources, 1 articles

Summary

Hide ▲

The prt-scan campaign used AI-assisted automation to scale a broad GitHub supply-chain operation, increasing risk for repositories configured with `pull_request_target`. It ran in six waves and more than 450 exploit attempts, with fewer than 10% succeeding and at least two NPM packages compromised. The operator focused on malicious pull requests that could expose GitHub credentials, secrets, and workflow data. The breadth and automation of the run made it easier to target both small and large projects at scale.

Related Happenings

GitHub API enumeration campaign targeting corporate organizations

Campaign
H score17 First: 09.07.2026 21:38 Last: 09.07.2026 21:38 Sources 1

About this happening: A **GitHub API reconnaissance campaign** is systematically mapping **corporate organizations**, repositories, and user accounts across multiple companies, expanding the risk of fo...

GitHub Agentic Workflows indirect prompt injection security flaw

Vulnerability
H score27 First: 07.07.2026 17:04 Last: 07.07.2026 17:04 Sources 1

About this happening: **GitHub Agentic Workflows** has an **indirect prompt injection** flaw that can let a **public issue** leak content from **private repositories** into public comments. The risk is...

GitHub actions/checkout blocks fork pull request checkouts by default in privileged workflows

Security Tool/Service
H score11 First: 23.06.2026 17:22 Last: 23.06.2026 17:22 Sources 1

About this happening: GitHub's **actions/checkout** now refuses common **pwn request** patterns by default, cutting the risk of attacker-controlled code execution in privileged **GitHub Actions** workf...

Contagious Interview UNK_DeadDrop GitHub phishing campaign

Campaign
H score37 First: 15.06.2026 22:32 Last: 15.06.2026 22:32 Sources 1

About this happening: The **Contagious Interview** cluster is running the **UNK_DeadDrop** phishing campaign to lure developers with **recruitment** and **code review** themes, reaching **nearly 100 or...

GitHub npm v12 hardens install-time dependency execution and source resolution

Security Tool/Service
H score11 First: 10.06.2026 22:41 Last: 10.06.2026 22:41 Sources 1

About this happening: **GitHub** is tightening **npm v12** next month by blocking automatic dependency install scripts and non-registry sources, reducing supply-chain attack paths triggered by **npm in...

Timeline

  1. 07.04.2026 00:38 1 articles · 3mo ago

    Prt-scan testing phase begins on GitHub

    Campaign Scope Update

    The prt-scan campaign began on March 11, 2026, when a threat actor opened 10 malicious pull requests against GitHub repositories using the pull_request_target workflow trigger in GitHub Actions, indicating an apparent testing phase.

    Show sources
  2. 07.04.2026 00:38 1 articles · 3mo ago

    Prt-scan testing phase continues through March 16

    Campaign Scope Update

    The initial prt-scan activity continued through March 16, then paused for nearly two weeks before the operator resumed at a much higher volume with signs of AI-enabled automation.

    Show sources
  3. 07.04.2026 00:38 2 articles · 3mo ago

    Prt-scan burst on April 2 compromises NPM packages

    Victim Impact Update

    Starting April 2, 2026, the attacker used AI-assisted automation to open some 475 pull requests over a 26-hour period, while Wiz analyzed more than 450 exploitation attempts, found fewer than 10% successful, and confirmed compromise of at least two NPM packages.

    Show sources