A fast-moving campaign targeting open-source projects on GitHub has exposed how a familiar automation shortcut can become a supply-chain risk, after attackers used fake continuous integration updates to try to siphon secrets and access tokens from software repositories. Security researchers say the operation relied on malicious pull requests disguised as harmless build-configuration changes and exploited unsafe use of GitHub Actions workflows tied to the pullrequesttarget trigger.
The activity was publicly identified on 2 April 2026 and tied to a GitHub account using the handle ezmtebo, which researchers said opened more than 475 malicious pull requests within about 26 hours. Broader analysis from Wiz said the same actor, or the same operation, appears to have run six waves of activity dating back to 11 March, pushing the total well above 500 pull requests and indicating that the campaign was neither isolated nor improvised. That chronology matters because it suggests a repeatable method aimed at scale rather than a one-off stunt.
At the centre of the incident is a configuration pattern long flagged by GitHub and security specialists. The pullrequesttarget event runs in the context of the base repository, not the untrusted fork submitting the change. That means workflows can inherit access to repository secrets and a potentially powerful GITHUB_TOKEN. GitHub’s own guidance says such workflows should not check out, build or run untrusted code from pull requests, while GitHub Security Lab and the Open Source Security Foundation have warned for years that combining privileged triggers with code from forks can open the door to repository compromise.
Researchers examining the campaign said the malicious pull requests were dressed up to look routine, often using a commit message along the lines of “ci: update build configuration” and branches following a prt-scan- pattern. SafeDep said the payloads were adapted for different software ecosystems, including npm and Python, while Wiz described an evolution from basic shell-based theft to more language-aware and apparently AI-assisted payloads. The target list cited by researchers ranged from large corporate and developer-platform repositories to smaller hobbyist projects, illustrating how indiscriminate the operation had become.
The theft method itself was notable for its simplicity. SafeDep said one payload dumped environment variables and Git authentication data into CI logs, wrapping the output in identifiable markers so it could later be harvested automatically. From there, the script sought to extract the GITHUB_TOKEN, enumerate repository data and, in some cases, manipulate workflows and labels. Researchers said the campaign did not need external command-and-control infrastructure because exfiltration could be routed through GitHub’s own surfaces, including logs, comments and workflow behaviour. That lowered the attacker’s operational burden and made the activity harder to distinguish from normal developer traffic at first glance.
For maintainers, the implications extend beyond exposed credentials. OpenSSF has warned that privileged workflows running untrusted code can be used to alter check results, tamper with release artefacts or poison downstream software supply chains. GitHub’s CodeQL guidance similarly states that the safer pattern is to process untrusted pull requests under the plain pull_request trigger, where secrets are not exposed, and then hand off only the required results to a separate privileged workflow if necessary. In practical terms, the danger is not the existence of automation, but the mixing of automation, trust and attacker-controlled code in the same execution path.
GitHub has already made changes around pullrequesttarget. In a changelog published on 7 November 2025, the company said the event would always use the default branch for workflow source and reference from 8 December 2025, a change intended to reduce security-critical edge cases involving outdated workflows and unintended access to environment secrets. But GitHub also made clear that administrators still need to assess whether they should be using pullrequesttarget at all, restrict permissions, and ensure that user-controlled code cannot influence execution. That means the platform has narrowed some attack paths without removing the underlying risk created by poor workflow design.
The activity was publicly identified on 2 April 2026 and tied to a GitHub account using the handle ezmtebo, which researchers said opened more than 475 malicious pull requests within about 26 hours. Broader analysis from Wiz said the same actor, or the same operation, appears to have run six waves of activity dating back to 11 March, pushing the total well above 500 pull requests and indicating that the campaign was neither isolated nor improvised. That chronology matters because it suggests a repeatable method aimed at scale rather than a one-off stunt.
At the centre of the incident is a configuration pattern long flagged by GitHub and security specialists. The pullrequesttarget event runs in the context of the base repository, not the untrusted fork submitting the change. That means workflows can inherit access to repository secrets and a potentially powerful GITHUB_TOKEN. GitHub’s own guidance says such workflows should not check out, build or run untrusted code from pull requests, while GitHub Security Lab and the Open Source Security Foundation have warned for years that combining privileged triggers with code from forks can open the door to repository compromise.
Researchers examining the campaign said the malicious pull requests were dressed up to look routine, often using a commit message along the lines of “ci: update build configuration” and branches following a prt-scan- pattern. SafeDep said the payloads were adapted for different software ecosystems, including npm and Python, while Wiz described an evolution from basic shell-based theft to more language-aware and apparently AI-assisted payloads. The target list cited by researchers ranged from large corporate and developer-platform repositories to smaller hobbyist projects, illustrating how indiscriminate the operation had become.
The theft method itself was notable for its simplicity. SafeDep said one payload dumped environment variables and Git authentication data into CI logs, wrapping the output in identifiable markers so it could later be harvested automatically. From there, the script sought to extract the GITHUB_TOKEN, enumerate repository data and, in some cases, manipulate workflows and labels. Researchers said the campaign did not need external command-and-control infrastructure because exfiltration could be routed through GitHub’s own surfaces, including logs, comments and workflow behaviour. That lowered the attacker’s operational burden and made the activity harder to distinguish from normal developer traffic at first glance.
For maintainers, the implications extend beyond exposed credentials. OpenSSF has warned that privileged workflows running untrusted code can be used to alter check results, tamper with release artefacts or poison downstream software supply chains. GitHub’s CodeQL guidance similarly states that the safer pattern is to process untrusted pull requests under the plain pull_request trigger, where secrets are not exposed, and then hand off only the required results to a separate privileged workflow if necessary. In practical terms, the danger is not the existence of automation, but the mixing of automation, trust and attacker-controlled code in the same execution path.
GitHub has already made changes around pullrequesttarget. In a changelog published on 7 November 2025, the company said the event would always use the default branch for workflow source and reference from 8 December 2025, a change intended to reduce security-critical edge cases involving outdated workflows and unintended access to environment secrets. But GitHub also made clear that administrators still need to assess whether they should be using pullrequesttarget at all, restrict permissions, and ensure that user-controlled code cannot influence execution. That means the platform has narrowed some attack paths without removing the underlying risk created by poor workflow design.
Topics
Technology