Researchers from the JFrog Security Research team have identified 13 vulnerabilities in widely used GitHub repositories using an AI-powered research tool called RepoHunter, preventing potential large-scale software supply chain attacks.
The vulnerabilities, known as “Pwn Requests,” could have allowed malicious actors to exfiltrate sensitive credentials such as signing keys, cloud access credentials and deployment tokens. If exploited, the flaws could have enabled attackers to compromise software supply chains and distribute malicious code to millions — potentially billions — of users.
Among the affected projects were frameworks supporting WeChat Pay, which serves around 1.4 billion users, as well as components involved in the JavaScript standardisation process (tc39) and widely used developer tools such as Ansible.
JFrog said the findings demonstrate how AI is increasingly being used not only by defenders but also by threat actors searching for weaknesses in open-source ecosystems. In response, the company developed RepoHunter to proactively scan repositories and identify vulnerabilities before they can be exploited.
The research comes amid growing concern over software supply chain attacks following incidents such as the Shai-Hulud worm and the S1ngularity attack, both of which exploited weaknesses in continuous integration (CI) pipelines to inject malicious code and extract sensitive information.
According to JFrog, the newly discovered vulnerabilities targeted workflows used in major development environments that underpin global financial systems, artificial intelligence infrastructure and widely used developer tools.
By identifying and reporting the issues before they were exploited, the research team prevented potential attacks that could have impacted critical software infrastructure relied upon by organisations and developers worldwide.
The findings highlight the increasing importance of securing open-source development pipelines as automated tools — both malicious and defensive — begin to play a larger role in identifying and exploiting vulnerabilities within software ecosystems.
