Automation Gone Rogue: How Fake CI Updates Turned GitHub Actions Into a Secret-Stealing Machine

It started quietly: a pull request titled “ci: update build configuration” landed in the inboxes of hundreds of open source maintainers. The change looked routine - just another tweak to the continuous integration (CI) setup. But behind the familiar veneer lay an industrial-scale cyberattack, powered by automation and fueled by a critical GitHub Actions misconfiguration that exposed the beating heart of modern software development: its secrets.

Fast Facts

• Over 500 malicious pull requests were submitted in under a month, targeting both high-profile and hobbyist GitHub repositories.
• Attackers exploited the pull_request_target trigger, a common CI/CD setting that inadvertently granted access to sensitive repository secrets.
• AI-generated payloads adapted to different programming languages and project structures, automating attacks at machine speed.
• Stolen credentials included AWS keys, Cloudflare tokens, and npm package access, highlighting a growing supply chain risk.
• Success rate was low but impactful: at least two npm packages were compromised, and dozens of smaller projects were breached.

The Anatomy of an Automated Supply Chain Heist

The campaign, first publicly identified by security researcher Charlie Eriksen on April 2, 2026, was anything but spontaneous. For weeks, a threat actor operating under aliases like “ezmtebo” and “elzotebo” had been systematically hunting for repositories misusing GitHub’s pull_request_target workflow. This trigger, intended to safely run CI checks on code from forks, instead granted workflows the full set of repository secrets - even for code submitted by unknown contributors.

Armed with this knowledge, the attacker’s playbook became a model of malicious efficiency. They scanned open repositories for the vulnerable trigger, forked the code, and created branches named in a predictable pattern (such as prt-scan-abcdef123456). Into critical CI files - like package.json for Node.js or conftest.py for Python - they injected payloads designed to exfiltrate secrets, enumerate credentials, and even publish tainted versions of npm packages if the right tokens were found.

The scale and sophistication were unmistakably artificial. The attack surged in six distinct waves, evolving from basic shell scripts to language-aware, AI-generated code that mimicked each project’s conventions. The automation didn’t just speed up the attack - it adapted to each repository’s structure, maximizing the odds of success.

Yet, the campaign’s ambition outpaced its understanding of GitHub’s security controls. Many payloads attempted actions - like bypassing label gates or creating new workflows - that their permissions simply didn’t allow, resulting in dead code. The attacker sometimes injected the wrong file types, revealing gaps in their automated analysis.

Supply Chain Risks and Lessons Learned

Despite the technical missteps, the campaign was far from harmless. At least two npm packages were compromised, and credentials for AWS, Cloudflare, and Netlify were confirmed stolen. In the broader context, the attack underscores how CI/CD pipelines have become lucrative targets for supply chain compromise, especially as attackers harness AI to scale their operations.

The most effective defenses were simple but crucial: requiring human review for first-time contributors, restricting workflow permissions, and carefully scoping secrets. Organizations that implemented these checks - like Sentry, OpenSearch, and NixOS - successfully blocked the attack, while others faced the costly aftermath of exposed secrets and poisoned package releases.

Conclusion

As automation accelerates both software development and cybercrime, the GitHub Actions attack serves as a stark warning: convenience can be a double-edged sword. In the race to innovate, vigilance against supply chain threats must remain a priority - or else the next “routine” update could be the breach that brings your codebase to its knees.

WIKICROOK

• Pull Request (PR): A pull request (PR) allows developers to propose and review code changes before merging into the main project, improving security and quality.
• CI/CD: CI/CD automates software testing and deployment, allowing teams to deliver code changes quickly, safely, and efficiently with minimal manual intervention.
• GitHub Actions: GitHub Actions automates tasks like testing and deploying code on GitHub. While boosting productivity, it can be misused if not properly secured.
• GITHUB_TOKEN: A GITHUB_TOKEN is a secure digital key that lets automated systems access and manage sensitive parts of a GitHub project without using personal passwords.
• Supply Chain Attack: A supply chain attack is a cyberattack that compromises trusted software or hardware providers, spreading malware or vulnerabilities to many organizations at once.