HackMyIP
← Back to News
2026-07-09 The Hacker News

Dormant GitHub Accounts Weaponized for Corporate Reconnaissance via API Scraping

Supply ChainThreat IntelCloud Security

Datadog Security Labs is sounding the alarm over a coordinated series of campaigns that systematically enumerate corporate GitHub organizations, repositories, and user accounts through the GitHub API. According to Julie Agnes Sparks, senior security engineer at Datadog, operators rely on automated scraping tooling paired with custom or legitimate-sounding user agents, leveraging so-called GitHub "ghost" accounts that are often years old, or compromised OAuth tokens and personal access tokens (PATs) harvested from legitimate users. While most of the activity targets public data, Datadog has confirmed select cases where attackers escalated beyond public enumeration to successfully clone private repositories.

The campaign blends over 50 dormant accounts with dozens of legitimate accounts whose personal access tokens were unintentionally exposed or otherwise compromised. What makes the ghost accounts distinctive is their operational discipline: they were created two to five years ago and left inactive for long stretches before being weaponized to issue API traffic across multiple organizations. This long-dormancy strategy is designed to pass automated abuse detection and blend into normal API usage, as opposed to newly created accounts that would immediately trigger rate-limiting or behavioral anomalies. Organizations concerned about their own external exposure surface can run a privacy checkup to see what metadata and infrastructure data is publicly visible.

The enumeration queries exploit a significant portion of GitHub's API surface that is reachable without authentication, returning actionable data while remaining difficult to distinguish from legitimate traffic. Techniques observed include listing an organization's public repositories, walking a user's followers and following lists, enumerating gists and starred repos, and running GraphQL queries against public objects. Threat actors use this data to programmatically map an organization's GitHub-related activity, identifying key contributors, project relationships, and supply chain dependencies. To better understand the network infrastructure tied to suspicious actors, security teams can correlate findings with a WHOIS lookup on associated domains.

"Individually, most of these requests are unremarkable. They hit public endpoints, authenticate cleanly or not at all, and return successful responses," Datadog noted. The real concern lies in aggregate behavior: synchronized account activity across multiple organizations, versioned custom tooling iterating over weeks, and in the worst cases, actors that transitioned from passive enumeration to active cloning of private code. With exposed PATs a recurring entry vector, developers should routinely audit their tokens and verify whether credentials have surfaced in known collections using an email breach checker to catch compromised accounts before they are weaponized against their organizations.

Source: The Hacker News →

Related Tools

Check whether this kind of story affects you — free, no signup:

My IP →IP Lookup →Privacy Checkup →

Related Guides

Learn the background behind this story:

What is my IP and why it matters →IP address security →How to stop being tracked online →