Key point: Attackers use dormant GitHub accounts and compromised tokens over years to map enterprise organizations without detection.
Datadog Security Labs warns of multiple coordinated campaigns systematically enumerating GitHub organizations, repositories and user accounts of enterprises via the GitHub API. Attackers use dormant ghost accounts inactive for years or compromised OAuth tokens.
Security researchers at Datadog Security Labs have documented multiple overlapping campaigns that automatically extract data from GitHub. The attackers rely on scraping tools with custom or legitimate-looking user agents and resort to so-called “ghost” accounts — old, long-inactive GitHub accounts that do not immediately appear suspicious.
This tactic enables attackers to disguise their activities in API usage and avoid being recognized as a threat. By enumerating organizational structures, public and private repositories, and user accounts, they gain a detailed overview of the target company’s technical infrastructure and personnel — a classic reconnaissance phase ahead of targeted attacks.
For security professionals, this means GitHub access must be monitored more closely. Recommended measures include reviewing OAuth token registrations, disabling unused personal access tokens, and monitoring unusual API access patterns — particularly those originating from old or inactive accounts.
Source: thehackernews.com · Published 9 July 2026
Lumi AI News — AI-assisted curation according to Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.3.