"Operators rely on automated scraping tooling with custom or legitimate-sounding user agents, leveraging GitHub 'ghost' accounts that are often years old, or compromised OAuth tokens and personal access tokens (PATs) from legitimate users," Julie Agnes Sparks, senior security engineer at Datadog, said.
Datadog Security Labs outlines coordinated enumeration campaigns
Datadog Security Labs described "several overlapping campaigns" that systematically enumerate corporate GitHub organizations, repositories and user accounts through the GitHub API. The activity is mostly aimed at public data but, in select cases, has gone beyond reconnaissance: Datadog confirmed attackers successfully cloned a private repository belonging to a single organization.
Ghost accounts: dormant, aged two to five years, then weaponized
Datadog's alert highlights a persistent tradecraft detail: the attackers used more than 50 dormant or "ghost" accounts that were created two to five years ago and left inactive for long periods before being reactivated to issue API traffic. That age and inactivity is purposeful. Rather than creating new accounts and immediately issuing high-volume requests, the campaigns lean on older accounts to reduce the chance of raising suspicion.
GitHub API enumeration techniques and the problem of unauthenticated surface area
Because much of GitHub's API surface can be reached without authentication, the campaigns return useful information while appearing routine. Datadog lists the kinds of queries observed: listing an organization's public repositories; walking a user's followers and following lists; enumerating gists, starred repositories, and organization memberships; and running GraphQL queries against public objects. Individually, these requests "hit public endpoints, authenticate cleanly or not at all, and return successful responses," Datadog said — the concern, the company added, "lies in the aggregate."
Use of compromised tokens, custom tooling, and synchronized scanning
The activity combines automated scanner tools, more than 50 dormant accounts, and "dozens of legitimate accounts" whose personal access tokens (PATs) were exposed unintentionally or compromised by other means. Datadog observed actors moving in sync across multiple companies' GitHub organizations with "versioned custom tooling iterating over weeks." The campaigns used custom or legitimate-sounding user agents to blend API calls into expected patterns.
Private cloning confirmed; reconnaissance can escalate to data access
While most observed traffic was limited to public endpoints, Datadog confirmed data access in a few scenarios where attackers cloned private repositories. That progression — enumeration followed, in at least one instance, by cloning — underscores the distinction the firm drew between single requests that look unremarkable and coordinated, repeated activity that yields actionable access.
What this means for technologists, enterprise leaders, and maintainers
- Technologists and security teams will watch for synchronized API activity across organizations and for reuse of aged accounts that suddenly become active; they will also note the role of compromised OAuth tokens and PATs as enablers of deeper access.
- Enterprise and procurement leaders will need to account for unexpected exposure vectors beyond standard perimeter controls, given that attackers can programmatically map membership, repo activity, and social links from public endpoints.
- Open-source maintainers and developers should be aware that public traces — followers, starred projects, gists and GraphQL-accessible objects — can be collected at scale and used to assemble organizational topology and potential targets.
Datadog's finding is simple and stark: many single API queries are unremarkable on their face, but when a cohort of aged or compromised accounts moves in concert with custom scanners over weeks, the pattern becomes reconnaissance with teeth. The campaigns rely on blending into the expected noise of public API traffic while keeping the door open — via exposed tokens or targeted escalations — to private cloning. That gap between "unremarkable" requests and aggregated, coordinated scraping is the operational problem that the affected organizations now face.
Original reporting: https://thehackernews.com/2026/07/dormant-github-accounts-help-attackers.html




