Six Accounts, One Actor: Inside the prt-scan Supply Chain Campaign

A new AI-powered supply chain campaign identified as prt-scan has been discovered exploiting the pull_request_target vulnerability within software development pipelines. This activity follows the previously observed hackerbot-claw campaign, indicating a persistent threat landscape targeting CI/CD environments. The attacker utilized six distinct accounts to maintain operations, tracing back three weeks prior to detection. This campaign highlights the growing risk of automated attacks leveraging AI to compromise source code repositories. The severity is considered high due to the potential for widespread software compromise. Organizations are advised to audit their pull request workflows, restrict permissions on pull_request_target triggers, and implement robust monitoring for anomalous account activity within their development environments to mitigate similar supply chain intrusions. Immediate patching of CI/CD configurations is also recommended.

After hackerbot-claw, another AI-powered campaign exploiting pull_request_target confirms the threat is here to stay. We trace the attacker back to three weeks before anyone noticed.

A new AI-powered supply chain campaign identified as prt-scan has been discovered exploiting the pull_request_target vulnerability within software development pipelines. This activity follows the previously observed hackerbot-claw campaign, indicating a persistent threat landscape targeting CI/CD environments. The attacker utilized six distinct accounts to maintain operations, tracing back three weeks prior to detection. This campaign highlights the growing risk of automated attacks leveraging AI to compromise source code repositories. The severity is considered high due to the potential for widespread software compromise. Organizations are advised to audit their pull request workflows, restrict permissions on pull_request_target triggers, and implement robust monitoring for anomalous account activity within their development environments to mitigate similar supply chain intrusions. Immediate patching of CI/CD configurations is also recommended. After hackerbot-claw, another AI-powered campaign exploiting pull_request_target confirms the threat is here to stay. We trace the attacker back to three weeks before anyone noticed. After hackerbot-claw, another AI-powered campaign exploiting pull_request_target confirms the threat is here to stay. We trace the attacker back to three weeks before anyone noticed.