A Wiz analysis shows that the AI-assisted campaign, tracked as prt-scan, targeted repositories configured with GitHub’s pull_request_target workflow trigger, in what appears to be a broad, automated operation. The activity was first spotted on 2 April 2026, with researchers at Aikido Security noting the initial signs on 2 April, and Wiz’s follow-up locating the campaign beginning around 11 March 2026 in six waves led by a single threat actor using six GitHub accounts.
The attackers opened more than 500 pull requests overall, but Wiz reports a 10% success rate, with several small projects exposed while larger production environments largely remained untouched. At least two NPM packages were compromised during the campaign, which Wiz described as exposing ephemeral credentials rather than granting access to production infrastructure or persistent keys.
The attackers’ approach involved forking repositories, creating branches, inserting malicious code into routine updates, and leveraging the pull_request_target trigger to run hidden payloads, according to Wiz. The report also notes that AI-augmented automation can enable large-scale, rapid misconfigurations and emphasize the need to harden GitHub environments, according to Wiz.