Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Ghost Accounts Abuse GitHub API in Mass Recon Campaign

Multiple campaigns are using ghost accounts to map GitHub organizations, including their repositories and members.

Software security

Threat actors are abusing the GitHub API to systematically enumerate organizations, repositories, and user accounts, Datadog reports.

Spanning multiple overlapping campaigns, the activity has been ongoing for several months, relying on ghost accounts that were registered two to five years ago but left dormant.

The activity, Datadog says, involves automated scanners, the abuse of leaked credentials, and coordinated networks of dormant accounts.

While the observed GitHub API requests are targeting publicly available data, blending with normal traffic, the continuous activity that in some cases escalated to the attackers cloning discovered repositories raises concern.

“A large share of GitHub’s API surface is reachable without authentication. Listing an organization’s public repositories, walking a user’s followers and following lists, enumerating gists, starred repos, and org memberships, and running GraphQL queries against public objects all return data,” Datadog explains.

Requests against these public paths generate HTTP 200 responses and no authentication failure signals. Through normal API traffic, an operator can use this to map an organization, its members, and the projects they access.

Advertisement. Scroll to continue reading.

Since at least October 2025, over 50 ghost accounts have been used to send API traffic as part of the enumeration, usually in bursts of 1 to 3 weeks, across multiple organizations.

The accounts have been using user agents named to sound like data exfiltration, analytics, or dashboard tools. Most of the requests have been targeting GraphQL, while others have been aimed at REST routes.

“On its own, this enumeration rarely produces meaningful access inside an organization, rather it’s accomplishing reconnaissance,” Datadog notes.

One campaign was also seen using inadvertently exposed tokens from legitimate GitHub users, targeting private repository commit paths from dozens of legitimate accounts over a window of several minutes.

In rare cases, the attackers moved beyond reconnaissance and successfully exfiltrated data from the targeted organizations, Datadog says.

To detect this type of malicious activity, the cybersecurity firm notes, defenders should look for data exfiltration from private repositories, and should check logs for anomalous user agent behavior and for user agent naming and versioning in actions that reach private repositories.

“User agents, event activity, and actor names are vital clues to unauthorized activity in your environment. It’s important to know what normal looks like in your environment. We suggest enabling GitHub audit log streaming, baselining your user agents, proactively threat hunting, and developing detections unique to your GitHub organization,” Datadog notes.

Related: Network of 200 GitHub Repositories Used for Malware Infection

Related: China, India-Linked Hackers Both Targeted Same Pakistani Police Force

Related: Okta Warns of Vishing Attacks Targeting Microsoft 365 Customers

Related: Chinese Framework Powers 200,000 Scam Sites

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

BlueVoyant has appointed Ravi Subramanian as CFO and Jamie Coleman as CCO.

Solana Foundation has appointed Michael Coates as Chief Information Security Officer.

Michael Sikorski has joined Coinbase as Chief Information Security Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.