Find notable cyber news and cases, enriched with sources, timelines, and signals.

Prt-scan GitHub Actions secret-theft campaign

Campaign
First reported
Last updated
Happening score
H score 44
1 unique sources, 1 articles

Summary

Hide ▲

The prt-scan campaign has been systematically abusing pull_request_target GitHub Actions workflows to steal developer secrets and, when possible, publish malicious package versions. The operation has been running since March 11, 2026 and has been linked to over 450 exploit attempts, with most successful cases hitting small hobbyist projects. Its significance is that a repeatable CI abuse pattern can turn repository automation into a path for credential theft and supply-chain follow-on compromise.

Related Happenings

Single organization's private GitHub repository cloned after confirmed access

Data Leak
H score12 First: 09.07.2026 21:38 Last: 09.07.2026 21:38 Sources 1

About this happening: **Confirmed access** to a **private GitHub repository** belonging to **one organization** marks a concrete **data exposure** and raises the risk of source-code or internal-content...

GitHub API enumeration campaign targeting corporate organizations

Campaign
H score17 First: 09.07.2026 21:38 Last: 09.07.2026 21:38 Sources 1

About this happening: A **GitHub API reconnaissance campaign** is systematically mapping **corporate organizations**, repositories, and user accounts across multiple companies, expanding the risk of fo...

Codfish/semantic-release-action hit by network compromise

Incident
H score21 First: 26.06.2026 14:05 Last: 26.06.2026 14:05 Sources 1

About this happening: The **codfish/semantic-release-action** GitHub Action was hit by a **malicious commit force-push** and **tag redirection** that caused trusted workflows to run attacker code. The...

Miasma self-replicating supply chain attack campaign targeting open-source repositories

Campaign
H score83 First: 06.06.2026 09:58 Last: 06.06.2026 09:58 Sources 1

About this happening: The **Miasma** self-replicating supply-chain campaign has reached **73 Microsoft repositories** across **Azure**, **Azure-Samples**, **Microsoft**, and **MicrosoftDocs** on **GitH...

Claude Code GitHub Action bot trigger bypass security flaw

Vulnerability
H score31 First: 04.06.2026 18:15 Last: 04.06.2026 18:15 Sources 1

About this happening: **Anthropic's Claude Code GitHub Action** had a **trigger-check bypass** that let a malicious **GitHub issue** escalate into **repository takeover** for vulnerable public reposito...

Timeline

  1. 22.04.2026 20:33 1 articles · 2mo ago

    prt-scan campaign begins abusing pull_request_target

    Exploitation Observed

    The prt-scan operation begins systematically targeting GitHub repositories that use the pull_request_target workflow trigger, searching for eligible projects, forking them, creating branches named prt-scan-{12-hex-chars}, injecting malicious payloads into CI-executed files, and stealing developer credentials when the workflow runs.

    Show sources
  2. 22.04.2026 20:33 2 articles · 2mo ago

    Wiz discloses prt-scan campaign scope

    Initial Disclosure

    Wiz discloses that the prt-scan campaign has abused the pull_request_target GitHub Actions trigger since March 11, 2026, with more than 450 analyzed exploit attempts; most successful cases targeted small hobbyist projects and exposed only ephemeral GitHub credentials, while contributor approval requirements and other modern CI/CD controls helped protect higher-profile repositories.

    Show sources