Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Prt-scan GitHub Actions secret-theft campaign

Campaign
First reported
Last updated
Happening score
H score 50
1 unique sources, 1 articles

Summary

Hide ▲

The prt-scan campaign has been systematically abusing pull_request_target GitHub Actions workflows to steal developer secrets and, when possible, publish malicious package versions. The operation has been running since March 11, 2026 and has been linked to over 450 exploit attempts, with most successful cases hitting small hobbyist projects. Its significance is that a repeatable CI abuse pattern can turn repository automation into a path for credential theft and supply-chain follow-on compromise.

Related Happenings

Megalodon GitHub CI/CD supply-chain campaign

Campaign
First: 22.05.2026 14:55 Last: 22.05.2026 14:55 Sources 1

About this happening: The **Megalodon** campaign pushed **5,718 malicious commits** into **5,561 GitHub repositories** in about **six hours**, creating a broad **CI/CD secret-theft** risk across develo...

Open Happening

GitHub hit by network compromise

Incident
First: 20.05.2026 07:01 Last: 20.05.2026 07:01 Sources 1

About this happening: GitHub is investigating unauthorized access to its internal repositories after a third party allegedly offered stolen material for sale on a cybercrime forum. The intrusion was li...

Latest development: 20.05.2026 13:45

GitHub detected unauthorized access tied to a poisoned Visual Studio Code (VS Code) extension on an employee device, removed the malicious extension version, isolated the endpoint, and began incident response to contain exposure across internal repositories.

Open Happening

Actions-cool/issues-helper hit by network compromise

Incident
First: 19.05.2026 08:28 Last: 19.05.2026 08:28 Sources 1

About this happening: The **actions-cool/issues-helper** GitHub Actions supply-chain compromise let malicious tags run in **CI/CD pipelines**, causing **credential theft** and downstream account risk....

Open Happening

TeamPCP opens its offensive framework to copycat supply-chain attackers

Threat Actor Meta
First: 19.05.2026 07:54 Last: 19.05.2026 07:54 Sources 1

About this happening: **TeamPCP** has started distributing its **offensive framework source code**, turning a single supply-chain operation into reusable tradecraft that other threat actors can adopt....

Open Happening

Shai-Hulud public GitHub repository credential exposure

Data Leak
First: 18.05.2026 20:28 Last: 18.05.2026 20:28 Sources 1

About this happening: **Shai-Hulud** stole **developer credentials** that were later exposed in **public GitHub repositories**, turning a theft phase into a public leak of access data. The exposed mate...

Open Happening

Timeline

  1. 22.04.2026 20:33 1 articles · 1mo ago

    prt-scan campaign begins abusing pull_request_target

    Exploitation Observed

    The prt-scan operation begins systematically targeting GitHub repositories that use the pull_request_target workflow trigger, searching for eligible projects, forking them, creating branches named prt-scan-{12-hex-chars}, injecting malicious payloads into CI-executed files, and stealing developer credentials when the workflow runs.

    Show sources
    Open in new tab
  2. 22.04.2026 20:33 2 articles · 1mo ago

    Wiz discloses prt-scan campaign scope

    Initial Disclosure

    Wiz discloses that the prt-scan campaign has abused the pull_request_target GitHub Actions trigger since March 11, 2026, with more than 450 analyzed exploit attempts; most successful cases targeted small hobbyist projects and exposed only ephemeral GitHub credentials, while contributor approval requirements and other modern CI/CD controls helped protect higher-profile repositories.

    Show sources
    Open in new tab