SecurityWeek

Ghost Accounts Abuse GitHub API in Mass Recon Campaign


Threat actors are abusing the GitHub API to systematically enumerate organizations, repositories, and user accounts, Datadog reports.

Spanning multiple overlapping campaigns, the activity has been ongoing for several months, relying on ghost accounts that were registered two to five years ago but left dormant.

The activity, Datadog says, involves automated scanners, the abuse of leaked credentials, and coordinated networks of dormant accounts.

While the observed GitHub API requests are targeting publicly available data, blending with normal traffic, the continuous activity that in some cases escalated to the attackers cloning discovered repositories raises concern.

“A large share of GitHub’s API surface is reachable without authentication. Listing an organization’s public repositories, walking a user’s followers and following lists, enumerating gists, starred repos, and org memberships, and running GraphQL queries against public objects all return data,” Datadog explains.

Requests against these public paths generate HTTP 200 responses and no authentication failure signals. Through normal API traffic, an operator can use this to map an organization, its members, and the projects they access.

Advertisement. Scroll to continue reading.

Since at least October 2025, over 50 ghost accounts have been used to send API traffic as part of the enumeration, usually in bursts of 1 to 3 weeks, across multiple organizations.

The accounts have been using user agents named to sound like data exfiltration, analytics, or dashboard tools. Most of the requests have been targeting GraphQL, while others have been aimed at REST routes.

“On its own, this enumeration rarely produces meaningful access inside an organization, rather it’s accomplishing reconnaissance,” Datadog notes.

One campaign was also seen using inadvertently exposed tokens from legitimate GitHub users, targeting private repository commit paths from dozens of legitimate accounts over a window of several minutes.

In rare cases, the attackers moved beyond reconnaissance and successfully exfiltrated data from the targeted organizations, Datadog says.

To detect this type of malicious activity, the cybersecurity firm notes, defenders should look for data exfiltration from private repositories, and should check logs for anomalous user agent behavior and for user agent naming and versioning in actions that reach private repositories.

“User agents, event activity, and actor names are vital clues to unauthorized activity in your environment. It’s important to know what normal looks like in your environment. We suggest enabling GitHub audit log streaming, baselining your user agents, proactively threat hunting, and developing detections unique to your GitHub organization,” Datadog notes.

Related: Network of 200 GitHub Repositories Used for Malware Infection

Related: China, India-Linked Hackers Both Targeted Same Pakistani Police Force

Related: Okta Warns of Vishing Attacks Targeting Microsoft 365 Customers

Related: Chinese Framework Powers 200,000 Scam Sites



Source link