PRT-scan is the second campaign in recent months where a threat actor appears to have leveraged AI for automated targeting of a widespread GitHub misconfiguration.
A threat actor appears to have used AI-assisted automation to make hundreds of exploit attempts against open source software repositories on GitHub.
Fewer than 10% of the more than 450 exploitation attempts that cloud security vendor Wiz analyzed were successful, though the attacker did manage to compromise at least two NPM packages. The activity was first spotted on April 2 by Aikido Security research Charlie Eriksen. However, a subsequent investigation by Wiz found the campaign began about three weeks earlier on March 11 and unfolded in six waves using six different GitHub accounts that researchers linked to a single threat actor.
The hackerbot-claw campaign was shorter, more targeted and hit high-profile repos. In contrast, prt-scan, according to Wiz, appears to have been much broader, with the threat actor opening significantly more than 500 pull requests targeting both small and large projects on GitHub, but with less success.
"In most cases, successful attacks were against small hobbyist projects, and only exposed ephemeral GitHub credentials for the workflow," Wiz researchers wrote in a report published Saturday. "For the most part, this campaign did not grant the attacker access to production infrastructure, cloud credentials, or persistent API keys, barring minor exceptions. "However, the broader takeaway — and warning — for organizations is how AI-augmented automation has made it easier for attackers to launch large scale supply chain attacks, the security vendor warned. Low-sophistication attackers can launch new campaigns across hundreds of targets in a fraction of the time and with a fraction of the effort it required previously, Wiz said. Developers use pull requests to propose changes to a project on GitHub so that the project maintainers can review, discuss, and merge them into the main code. The pull_request_target trigger in GitHub Actions automatically runs workflows in the main repository whenever a pull request is submitted, even from an untrusted fork.
Because the action runs with full repository permissions and can access its secrets, an attacker could use a malicious pull request to steal API keys or credentials. The trigger is a well understood and well documented misconfiguration when used on untrusted pull requests without any restrictions, Wiz noted.
The security vendor's analysis showed prt-scan activity beginning on March 11 when the threat actor opened 10 malicious pull requests as part of appeared to be a testing phase that continued through March 16. Then, after a nearly two-week break, the attacker resumed opening malicious pull requests at a velocity that suggested use of AI-enabled automation, Wiz said. Starting April 2, over a 26-hour period the attacker opened some 475 pull requests containing a sophisticated payload for stealing credentials.
Interestingly though, despite the payload's ambitious design, the actual attack implementation was sloppy and suggested that the attacker did not fuly understand GitHb's permissions model, Wiz said. "The attacker attempted a sophisticated multi-phase payload but filled it with techniques that feel illogical to an expert and would rarely work in practice," the security vendor said.
Despite the flawed approach, Wiz said the 10% success rate still led to dozens of compromises. The researchers included indicators of compromise (IoCs) for the prt-scan campaign and urged organizations to harden their GitHub environments to prevent such attacks.
A threat actor appears to have used AI-assisted automation to make hundreds of exploit attempts against open source software repositories on GitHub.
Fewer than 10% of the more than 450 exploitation attempts that cloud security vendor Wiz analyzed were successful, though the attacker did manage to compromise at least two NPM packages. The activity was first spotted on April 2 by Aikido Security research Charlie Eriksen. However, a subsequent investigation by Wiz found the campaign began about three weeks earlier on March 11 and unfolded in six waves using six different GitHub accounts that researchers linked to a single threat actor.
Second AI-Augmented Supply Chain Campaign
The campaign, which Wiz tracks as "prt-scan," is the second in recent weeks in which a threat actor appears to have used AI-assisted automation to target repositories configured with the pull_request_target workflow trigger on GitHub. It follows the late-February “hackerbot-claw” campaign, which used malicious pull requests exploiting the same feature to steal GitHub tokens, secrets, environment variables, and cloud credentials.The hackerbot-claw campaign was shorter, more targeted and hit high-profile repos. In contrast, prt-scan, according to Wiz, appears to have been much broader, with the threat actor opening significantly more than 500 pull requests targeting both small and large projects on GitHub, but with less success.
"In most cases, successful attacks were against small hobbyist projects, and only exposed ephemeral GitHub credentials for the workflow," Wiz researchers wrote in a report published Saturday. "For the most part, this campaign did not grant the attacker access to production infrastructure, cloud credentials, or persistent API keys, barring minor exceptions. "However, the broader takeaway — and warning — for organizations is how AI-augmented automation has made it easier for attackers to launch large scale supply chain attacks, the security vendor warned. Low-sophistication attackers can launch new campaigns across hundreds of targets in a fraction of the time and with a fraction of the effort it required previously, Wiz said. Developers use pull requests to propose changes to a project on GitHub so that the project maintainers can review, discuss, and merge them into the main code. The pull_request_target trigger in GitHub Actions automatically runs workflows in the main repository whenever a pull request is submitted, even from an untrusted fork.
Because the action runs with full repository permissions and can access its secrets, an attacker could use a malicious pull request to steal API keys or credentials. The trigger is a well understood and well documented misconfiguration when used on untrusted pull requests without any restrictions, Wiz noted.
A Flawed Attack Chain
The attacker's playbook in the prt-scan campaign is to first scan for repositories using the pull_request_target trigger in GitHub Actions. They then fork those repositories, create a branch, hide malicious code inside what appears to be a routine update, and then trick the project into running it automatically. The threat actors that access to steal sensitive data or spread malware, Wiz said.The security vendor's analysis showed prt-scan activity beginning on March 11 when the threat actor opened 10 malicious pull requests as part of appeared to be a testing phase that continued through March 16. Then, after a nearly two-week break, the attacker resumed opening malicious pull requests at a velocity that suggested use of AI-enabled automation, Wiz said. Starting April 2, over a 26-hour period the attacker opened some 475 pull requests containing a sophisticated payload for stealing credentials.
Interestingly though, despite the payload's ambitious design, the actual attack implementation was sloppy and suggested that the attacker did not fuly understand GitHb's permissions model, Wiz said. "The attacker attempted a sophisticated multi-phase payload but filled it with techniques that feel illogical to an expert and would rarely work in practice," the security vendor said.
Despite the flawed approach, Wiz said the 10% success rate still led to dozens of compromises. The researchers included indicators of compromise (IoCs) for the prt-scan campaign and urged organizations to harden their GitHub environments to prevent such attacks.