Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Prt-scan GitHub pull_request_target supply-chain campaign

Campaign
First reported
Last updated
Happening score
H score 50
1 unique sources, 1 articles

Summary

Hide ▲

The prt-scan campaign used AI-assisted automation to scale a broad GitHub supply-chain operation, increasing risk for repositories configured with `pull_request_target`. It ran in six waves and more than 450 exploit attempts, with fewer than 10% succeeding and at least two NPM packages compromised. The operator focused on malicious pull requests that could expose GitHub credentials, secrets, and workflow data. The breadth and automation of the run made it easier to target both small and large projects at scale.

Related Happenings

Megalodon GitHub CI/CD supply-chain campaign

Campaign
First: 22.05.2026 14:55 Last: 22.05.2026 14:55 Sources 1

About this happening: The **Megalodon** campaign pushed **5,718 malicious commits** into **5,561 GitHub repositories** in about **six hours**, creating a broad **CI/CD secret-theft** risk across develo...

Open Happening

GitHub hit by network compromise

Incident
First: 20.05.2026 07:01 Last: 20.05.2026 07:01 Sources 1

About this happening: GitHub is investigating unauthorized access to its internal repositories after a third party allegedly offered stolen material for sale on a cybercrime forum. The intrusion was li...

Latest development: 20.05.2026 13:45

GitHub detected unauthorized access tied to a poisoned Visual Studio Code (VS Code) extension on an employee device, removed the malicious extension version, isolated the endpoint, and began incident response to contain exposure across internal repositories.

Open Happening

Actions-cool/issues-helper hit by network compromise

Incident
First: 19.05.2026 08:28 Last: 19.05.2026 08:28 Sources 1

About this happening: The **actions-cool/issues-helper** GitHub Actions supply-chain compromise let malicious tags run in **CI/CD pipelines**, causing **credential theft** and downstream account risk....

Open Happening

Mini Shai-Hulud supply-chain campaign targeting npm and PyPI

Campaign
First: 12.05.2026 17:45 Last: 12.05.2026 17:45 Sources 1

About this happening: The **Mini Shai-Hulud** **supply-chain campaign** linked to **TeamPCP** expanded into downstream victim reporting, including **Grafana Labs**. Grafana said its **GitHub environmen...

Latest development: 21.05.2026 11:00

Grafana Labs said its GitHub environment was accessed and its codebase downloaded, with additional internal operational information taken from GitHub repositories, after compromise linked to the Mini Shai-Hulud campaign and TanStack npm packages. Grafana said it first spotted malicious activity on May 11, discovered the unauthorized download on May 17, and after contact from the ransom gang rotated automation tokens, enabled enhanced monitoring, audited commits since the May 11 incident, and hardened its GitHub security posture, while saying there is no indication customer production systems or operations were compromised.

Open Happening

TanStack hit by network compromise

Incident
First: 12.05.2026 17:45 Last: 12.05.2026 17:45 Sources 1

About this happening: **TanStack** was hit by a **package compromise** on **May 11, 2026**, when attackers published **84 malicious versions** across **42 @tanstack/* packages** and abused the release...

Latest development: 21.05.2026 11:00

On May 17, 2026, Grafana Labs said an unauthorized attacker had downloaded its codebase after accessing the firm's GitHub environment, and the company later said additional internal operational information and business contact names and email addresses were taken from its GitHub repositories; Grafana Labs said there was no indication that customer production systems or the Grafana Cloud platform were compromised.

Open Happening

Timeline

  1. 07.04.2026 00:38 1 articles · 1mo ago

    Prt-scan testing phase begins on GitHub

    Campaign Scope Update

    The prt-scan campaign began on March 11, 2026, when a threat actor opened 10 malicious pull requests against GitHub repositories using the pull_request_target workflow trigger in GitHub Actions, indicating an apparent testing phase.

    Show sources
    Open in new tab
  2. 07.04.2026 00:38 1 articles · 1mo ago

    Prt-scan testing phase continues through March 16

    Campaign Scope Update

    The initial prt-scan activity continued through March 16, then paused for nearly two weeks before the operator resumed at a much higher volume with signs of AI-enabled automation.

    Show sources
    Open in new tab
  3. 07.04.2026 00:38 2 articles · 1mo ago

    Prt-scan burst on April 2 compromises NPM packages

    Victim Impact Update

    Starting April 2, 2026, the attacker used AI-assisted automation to open some 475 pull requests over a 26-hour period, while Wiz analyzed more than 450 exploitation attempts, found fewer than 10% successful, and confirmed compromise of at least two NPM packages.

    Show sources
    Open in new tab