Skip to content

GitHub APIs Exploited as Enterprise Reconnaissance Tools

Bottom line: Systematic GitHub API queries are increasingly used for corporate reconnaissance prior to attacks, as threat actors abuse public APIs and leverage dormant ghost accounts to mimic legitimate usage patterns.

Datadog Security Research documents a systematic pattern of GitHub API abuse that maps organizations and their members. The attacks exploit publicly accessible API surfaces and authentication gaps to penetrate development environments.

GitHub remains a preferred attack target because of its central position in the software supply chain. Threat actors gain access to three resources: source code, secrets (credentials), and pipelines for automating exploits. Over recent months, Datadog Security Research has documented a “sustained abuse pattern” extending over weeks, escalating from simple data queries to full repository clones. The core problem: these activities blend into normal API usage patterns.

The attacks do not originate from single actors, but rather from a mix of automated scanning tools with custom agents, abuse of leaked credentials, and coordinated networks of “burner” accounts (so-called ghost accounts). Threat actors typically use accounts that are two to five years old and have been inactive since; a multi-year history appears more legitimate than registrations from the current week. Furthermore, activities are confined to bursts of one to three weeks to avoid detection. Datadog identified over 50 such ghost accounts with names like “user432023”, “user412023”, or “kobalt*”.

A large portion of the GitHub API surface is deliberately accessible without authentication (public by design). This enables threat actors to create detailed maps of organizations, public repositories, members, interactions, and dependencies. GitHub logs geolocation data only for interactions with private repositories, not for external requests; this significantly impedes attribution via VPN/proxy tracking.

Attackers focus on two primary objectives: IP theft through unauthorized cloning of proprietary repositories to gain access to source code and hidden vulnerabilities; and discovery of default credentials in public repositories to compromise test environments and production systems. Some campaigns also leverage legitimate GitHub accounts with leaked OAuth tokens or Personal Access Tokens (PATs) whose accounts or API endpoints were exposed elsewhere.


Source: www.csoonline.com · Published 9 July 2026
Lumi AI News — AI-assisted curation pursuant to Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.3.

Share on: