Attackers Weaponize 50+ Dormant GitHub Accounts to Map Corporate Repos
Datadog Security Labs exposes coordinated campaigns using aged 'ghost' accounts to enumerate organizations via GitHub API. Some attackers escalated from reconnaissance to cloning private repositories.
Threat actors have been systematically mapping corporate GitHub organizations using a network of dormant accounts, some created years before being activated for reconnaissance. Datadog Security Labs published findings this week on what they describe as "several overlapping campaigns" exploiting GitHub's API to enumerate repositories, users, and organizational structures.
The campaigns operate at scale. Researchers identified over 50 dormant "ghost" accounts working alongside dozens of legitimate accounts with compromised personal access tokens. Most activity targeted public information, but some attackers successfully cloned private repositories.
The Ghost Account Technique
What makes these campaigns notable is operational patience. The accounts used for reconnaissance were created two to five years ago and left completely inactive before being weaponized. This aging process helps bypass heuristics that flag newly created accounts exhibiting automated behavior.
By appearing to be established users rather than fresh bot accounts, the operators blend into normal API traffic patterns. Individual requests look unremarkable—the signal emerges from the aggregate.
"A group of accounts moving in sync across companies' GitHub organizations with versioned custom tooling iterating over weeks," Datadog wrote. The coordination suggests organized reconnaissance rather than opportunistic scanning.
What's Being Enumerated
The campaigns query GitHub's public and authenticated API endpoints to gather:
- Organization repository listings
- User follower and following relationships
- Gist and starred repository data
- Organization membership information
- GraphQL queries against public objects
This information feeds into organizational mapping. Understanding which developers work on which projects, who has write access to critical repositories, and how teams are structured is valuable intelligence for targeting subsequent attacks.
The fake payment SDK packages we covered yesterday show where this reconnaissance leads. Once attackers understand organizational structure and dependency patterns, they can craft convincing supply-chain attacks.
Escalation to Private Repository Access
While most observed activity stayed in reconnaissance mode, Datadog documented cases where attackers escalated to actually cloning private repositories. This indicates that some campaigns moved beyond information gathering to actual data theft.
The vector for private access likely involves compromised personal access tokens (PATs). Organizations frequently discover that developer tokens have leaked through exposed configuration files, CI/CD logs, or credential stuffing attacks. Attackers combining leaked PATs with their organizational mapping can identify high-value targets for the tokens they've obtained.
Detection Challenges
Traditional API abuse detection focuses on volume and velocity—too many requests too fast triggers alerts. These campaigns deliberately avoid that pattern by distributing requests across many accounts and throttling to blend with legitimate traffic.
"Individually, most of these requests are unremarkable," Datadog noted. The threat lies in coordination that's invisible to single-account monitoring.
Organizations should consider:
- Monitoring API access patterns — Look for accounts that only query organizational metadata without ever pushing code
- Auditing PAT usage — Review which tokens have accessed repositories recently and from what IPs
- Implementing organization-wide visibility — GitHub Enterprise provides audit logs that can surface coordinated enumeration
- Reviewing external collaborator access — Ghost accounts may appear as legitimate external collaborators
Why This Matters
GitHub has become the de facto source-of-truth for how software organizations work. Repository structures, team memberships, and commit patterns reveal operational details that attackers can weaponize.
The ChocoPOC campaign targeting security researchers through fake exploit repositories demonstrates one endpoint of this reconnaissance. Know who works on security tooling, craft a convincing repository, and wait for targets to clone it.
Coordinated reconnaissance infrastructure suggests professionalization. Building and aging dozens of accounts over years requires planning and resources beyond typical opportunistic attacks. Whether this represents nation-state operations, sophisticated criminal groups, or commercial surveillance vendors remains unclear.
Datadog's full analysis includes additional technical indicators for organizations wanting to assess their own exposure.
Related Articles
Operation HookedWing: 4-Year Phishing Campaign Hit 500+ Organizations
SOCRadar documents a persistent phishing operation that stole 2,000+ credentials from aviation, energy, and government sectors over four years using GitHub-hosted infrastructure.
May 11, 2026North Korea Uses GitHub as C2 in South Korea Attacks
FortiGuard Labs exposes DPRK campaign using LNK files and GitHub repositories for command-and-control against South Korean targets. 22 evasion techniques identified.
Apr 3, 2026Attackers Mapped 91,000+ AI Endpoints in Mass Recon Campaign
GreyNoise honeypot data reveals coordinated reconnaissance of LLM infrastructure including OpenAI, Claude, and Ollama deployments over 11 days.
Jan 14, 2026Ransomware Negotiator Who Fed Intel to BlackCat Gets 70 Months
Angelo Martino leaked client insurance limits and negotiation strategies to the ransomware gang he was hired to negotiate against. Federal court sentences the double agent to nearly six years.
Jul 10, 2026