Full Report
After hackerbot-claw, another AI-powered campaign exploiting pull_request_target confirms the threat is here to stay. We trace the attacker back to three weeks before anyone noticed.
Analysis Summary
# Threat Actor: prt-scan Actor
## Attribution & Identity
The actor is an unidentified individual or group operating under multiple GitHub accounts. While no formal attribution to a known Advanced Persistent Threat (APT) group is made, the actor is linked to the following identities:
* **Primary Aliases:** `ezmtebo` (publicly identified), `testedbefore`, `beforetested-boop`, `420tb`, `69tf420`, `elzotebo`.
* **Associated Emails:**
* `testedbefore@proton[.]me`
* `testedbefore+89@proton[.]me`
* `testedbefore+55@proton[.]me`
* `testedbefore+99@proton[.]me`
* `elzotebo@proton[.]me`
* `elzotebo+88@proton[.]me`
* **Associations:** Similar in methodology to the AI-powered actor `hackerbot-claw`.
## Activity Summary
The "prt-scan" campaign spanned from March 11 to April 3, 2026, consisting of six distinct waves of activity. The actor targeted the software supply chain by exploiting GitHub Actions misconfigurations.
* **March 11–16 (Phase 1):** Probing small to medium repositories using raw shell scripts.
* **March 28–29 (Phase 2):** Scaling operations and transitioning to more structured 350+ line bash scripts for reconnaissance.
* **April 2–3 (Phase 3):** Rapid escalation using AI-generated, language-aware payloads, opening over 475 malicious Pull Requests (PRs) in a single 26-hour window.
## Tactics, Techniques & Procedures
* **Trigger Exploitation:** Specifically targets the `pull_request_target` workflow trigger, which allows malicious code from forks to access the base repository's secrets.
* **Automated Forking & Branching:** Automatically forks targets and creates branches using the pattern `prt-scan-{12-hex-chars}`.
* **Malicious Injection:** Injects payloads into files executed during CI/CD processes (e.g., `package.json`, `setup.py`, `Makefile`, `build.rs`, `conftest.py`).
* **AI-Generated Payloads:** Utilizes LLMs to generate context-aware code for different programming languages and "smart" file placement.
* **Multi-Stage Execution:**
* **RECON:** Enumerates secrets, GITHUB_TOKEN, and cloud metadata (AWS/Azure/GCP).
* **DISPATCH:** Creates temporary workflows to maintain persistence or escalate.
* **EXFIL:** Exfiltrates data via base64-encoded strings in workflow logs and PR comments.
* **Supply Chain Pivot:** If `NPM_TOKEN` is discovered, the actor attempts to publish malicious versions of existing packages.
## Targeting
* **Sectors:** Technology, Open Source Software, and general DevOps.
* **Geography:** Global (targeting GitHub-hosted repositories).
* **Victims:** Over 500 repositories targeted, ranging from individual hobbyists to high-profile organizations. At least two npm packages were successfully compromised.
## Tools & Infrastructure
* **Malware/Payloads:** `prt_exfil.sh` (a comprehensive 367-line reconnaissance and exfiltration script).
* **User Agent:** `python-requests/2.32.5`.
* **Infrastructure:**
* GitHub (as the primary attack platform).
* ProtonMail (for account registration).
* Cloud Metadata Services: `169.254.169[.]254`.
## Implications
The campaign demonstrates the lowering barrier to entry for complex supply chain attacks due to AI. The actor’s ability to generate language-specific payloads at scale allowed them to move from a single probe to hundreds of attacks in hours. However, the actor displayed a lack of understanding regarding GitHub’s specific security boundaries, suggesting that while AI can scale the *volume* of attacks, it does not yet replace deep architectural knowledge of the target system.
## Mitigations
* **Restrict GitHub Triggers:** Avoid using `pull_request_target` for untrusted code. If required, ensure the workflow does not check out or run code from the head repository without manual approval.
* **Secret Management:** Rotate any `NPM_TOKEN`, `AWS_ACCESS_KEY_ID`, or other secrets if a repository was targeted by a `prt-scan` branch.
* **Code Review:** Require "Approval for all outside collaborators" for GitHub Actions workflows.
* **Audit Logs:** Monitor GitHub audit logs for unusual branch creation patterns (e.g., `prt-scan-*`) and unexpected workflow runs.