PROBABLYPWNED
Threat IntelligenceJuly 10, 20264 min read

Attackers Weaponize 50+ Dormant GitHub Accounts to Map Corporate Repos

Datadog Security Labs exposes coordinated campaigns using aged 'ghost' accounts to enumerate organizations via GitHub API. Some attackers escalated from reconnaissance to cloning private repositories.

Alex Kowalski

Threat actors have been systematically mapping corporate GitHub organizations using a network of dormant accounts, some created years before being activated for reconnaissance. Datadog Security Labs published findings this week on what they describe as "several overlapping campaigns" exploiting GitHub's API to enumerate repositories, users, and organizational structures.

The campaigns operate at scale. Researchers identified over 50 dormant "ghost" accounts working alongside dozens of legitimate accounts with compromised personal access tokens. Most activity targeted public information, but some attackers successfully cloned private repositories.

The Ghost Account Technique

What makes these campaigns notable is operational patience. The accounts used for reconnaissance were created two to five years ago and left completely inactive before being weaponized. This aging process helps bypass heuristics that flag newly created accounts exhibiting automated behavior.

By appearing to be established users rather than fresh bot accounts, the operators blend into normal API traffic patterns. Individual requests look unremarkable—the signal emerges from the aggregate.

"A group of accounts moving in sync across companies' GitHub organizations with versioned custom tooling iterating over weeks," Datadog wrote. The coordination suggests organized reconnaissance rather than opportunistic scanning.

What's Being Enumerated

The campaigns query GitHub's public and authenticated API endpoints to gather:

  • Organization repository listings
  • User follower and following relationships
  • Gist and starred repository data
  • Organization membership information
  • GraphQL queries against public objects

This information feeds into organizational mapping. Understanding which developers work on which projects, who has write access to critical repositories, and how teams are structured is valuable intelligence for targeting subsequent attacks.

The fake payment SDK packages we covered yesterday show where this reconnaissance leads. Once attackers understand organizational structure and dependency patterns, they can craft convincing supply-chain attacks.

Escalation to Private Repository Access

While most observed activity stayed in reconnaissance mode, Datadog documented cases where attackers escalated to actually cloning private repositories. This indicates that some campaigns moved beyond information gathering to actual data theft.

The vector for private access likely involves compromised personal access tokens (PATs). Organizations frequently discover that developer tokens have leaked through exposed configuration files, CI/CD logs, or credential stuffing attacks. Attackers combining leaked PATs with their organizational mapping can identify high-value targets for the tokens they've obtained.

Detection Challenges

Traditional API abuse detection focuses on volume and velocity—too many requests too fast triggers alerts. These campaigns deliberately avoid that pattern by distributing requests across many accounts and throttling to blend with legitimate traffic.

"Individually, most of these requests are unremarkable," Datadog noted. The threat lies in coordination that's invisible to single-account monitoring.

Organizations should consider:

  1. Monitoring API access patterns — Look for accounts that only query organizational metadata without ever pushing code
  2. Auditing PAT usage — Review which tokens have accessed repositories recently and from what IPs
  3. Implementing organization-wide visibility — GitHub Enterprise provides audit logs that can surface coordinated enumeration
  4. Reviewing external collaborator access — Ghost accounts may appear as legitimate external collaborators

Why This Matters

GitHub has become the de facto source-of-truth for how software organizations work. Repository structures, team memberships, and commit patterns reveal operational details that attackers can weaponize.

The ChocoPOC campaign targeting security researchers through fake exploit repositories demonstrates one endpoint of this reconnaissance. Know who works on security tooling, craft a convincing repository, and wait for targets to clone it.

Coordinated reconnaissance infrastructure suggests professionalization. Building and aging dozens of accounts over years requires planning and resources beyond typical opportunistic attacks. Whether this represents nation-state operations, sophisticated criminal groups, or commercial surveillance vendors remains unclear.

Datadog's full analysis includes additional technical indicators for organizations wanting to assess their own exposure.

Related Articles