A new attack campaign is actively going after open-source repositories on GitHub by hiding harmful code in normal CI build configurations This article explores github hiding harmful. . The prt-scan campaign uses a common GitHub Actions trigger to steal sensitive tokens, credentials, and cloud secrets from developers who don't know what's going on.
The attack first happened on March 11, 2026, when a hacker with the GitHub account testedbefore started sending bad pull requests to small repositories. The title of each fake PR was the same: "ci: update build configuration." This made it easy for developers to miss the hidden threat. The attacker's constant search for new ways to do things shows that their methods are becoming more advanced.
This suggests that both the tools they use and the strategies they use are getting better.
The campaign's overall success rate stayed below 10% across more than 450 analyzed exploit attempts, even though it had a wide range. Most of the successful attacks were on small hobbyist projects, which exposed temporary GitHub workflow tokens. Administrators must limit pull_request_target to approved contributors only, make sure that first-time contributors go through strict approval gates, and use actor-restricted or path-based workflow trigger conditions.
You need to quickly update all of your exposed credentials, like AWS keys, npm tokens, and cloud API tokens. To get updates faster, turn on notifications on LinkedIn. Set ZeroOwl as your main news source on Google. Make sure all of your other security measures are up to date.
Use this guide to make the most of your Google Analytics app and Google Play app on Android and iOS. To learn more, go to Google Play for Android. For iOS, go to the Apple App Store and for Android, go to the Apple Play Store.
If you use Windows, you can find the Google Play store for Windows and the Microsoft Store for Windows. If you use Linux, you can try the Microsoft Windows Store for OS X and the OS X for Linux.
