Prt-scan GitHub Actions secret-theft campaign
Campaign
Summary
Hide ▲
Show ▼
The prt-scan campaign has been systematically abusing pull_request_target GitHub Actions workflows to steal developer secrets and, when possible, publish malicious package versions. The operation has been running since March 11, 2026 and has been linked to over 450 exploit attempts, with most successful cases hitting small hobbyist projects. Its significance is that a repeatable CI abuse pattern can turn repository automation into a path for credential theft and supply-chain follow-on compromise.
Related Happenings
Single organization's private GitHub repository cloned after confirmed access
Data Leak
H score12
First: 09.07.2026 21:38
Last: 09.07.2026 21:38
Sources 1
About this happening:
**Confirmed access** to a **private GitHub repository** belonging to **one organization** marks a concrete **data exposure** and raises the risk of source-code or internal-content...
Single organization's private GitHub repository cloned after confirmed access
Data LeakAbout this happening: **Confirmed access** to a **private GitHub repository** belonging to **one organization** marks a concrete **data exposure** and raises the risk of source-code or internal-content...
GitHub API enumeration campaign targeting corporate organizations
Campaign
H score17
First: 09.07.2026 21:38
Last: 09.07.2026 21:38
Sources 1
About this happening:
A **GitHub API reconnaissance campaign** is systematically mapping **corporate organizations**, repositories, and user accounts across multiple companies, expanding the risk of fo...
GitHub API enumeration campaign targeting corporate organizations
CampaignAbout this happening: A **GitHub API reconnaissance campaign** is systematically mapping **corporate organizations**, repositories, and user accounts across multiple companies, expanding the risk of fo...
Codfish/semantic-release-action hit by network compromise
Incident
H score21
First: 26.06.2026 14:05
Last: 26.06.2026 14:05
Sources 1
About this happening:
The **codfish/semantic-release-action** GitHub Action was hit by a **malicious commit force-push** and **tag redirection** that caused trusted workflows to run attacker code. The...
Codfish/semantic-release-action hit by network compromise
IncidentAbout this happening: The **codfish/semantic-release-action** GitHub Action was hit by a **malicious commit force-push** and **tag redirection** that caused trusted workflows to run attacker code. The...
Miasma self-replicating supply chain attack campaign targeting open-source repositories
Campaign
H score83
First: 06.06.2026 09:58
Last: 06.06.2026 09:58
Sources 1
About this happening:
The **Miasma** self-replicating supply-chain campaign has reached **73 Microsoft repositories** across **Azure**, **Azure-Samples**, **Microsoft**, and **MicrosoftDocs** on **GitH...
Miasma self-replicating supply chain attack campaign targeting open-source repositories
CampaignAbout this happening: The **Miasma** self-replicating supply-chain campaign has reached **73 Microsoft repositories** across **Azure**, **Azure-Samples**, **Microsoft**, and **MicrosoftDocs** on **GitH...
Claude Code GitHub Action bot trigger bypass security flaw
Vulnerability
H score31
First: 04.06.2026 18:15
Last: 04.06.2026 18:15
Sources 1
About this happening:
**Anthropic's Claude Code GitHub Action** had a **trigger-check bypass** that let a malicious **GitHub issue** escalate into **repository takeover** for vulnerable public reposito...
Claude Code GitHub Action bot trigger bypass security flaw
VulnerabilityAbout this happening: **Anthropic's Claude Code GitHub Action** had a **trigger-check bypass** that let a malicious **GitHub issue** escalate into **repository takeover** for vulnerable public reposito...
Timeline
-
22.04.2026 20:33 1 articles · 2mo ago
prt-scan campaign begins abusing pull_request_target
Exploitation ObservedThe prt-scan operation begins systematically targeting GitHub repositories that use the pull_request_target workflow trigger, searching for eligible projects, forking them, creating branches named prt-scan-{12-hex-chars}, injecting malicious payloads into CI-executed files, and stealing developer credentials when the workflow runs.
Show sources
- Self-Propagating Supply Chain Worm Hijacks npm Packages to Steal Developer Tokens — thehackernews.com — 22.04.2026 20:33
-
22.04.2026 20:33 2 articles · 2mo ago
Wiz discloses prt-scan campaign scope
Initial DisclosureWiz discloses that the prt-scan campaign has abused the pull_request_target GitHub Actions trigger since March 11, 2026, with more than 450 analyzed exploit attempts; most successful cases targeted small hobbyist projects and exposed only ephemeral GitHub credentials, while contributor approval requirements and other modern CI/CD controls helped protect higher-profile repositories.
Show sources
- Self-Propagating Supply Chain Worm Hijacks npm Packages to Steal Developer Tokens — thehackernews.com — 22.04.2026 20:33
- Self-Propagating Supply Chain Worm Hijacks npm Packages to Steal Developer Tokens — thehackernews.com — 22.04.2026 20:33