Key Takeaways
- Datadog Security Labs has identified multiple overlapping campaigns that systematically enumerate GitHub organizations, repositories, and user accounts via the GitHub API.
- Attackers combine automated scraping tools, dormant “ghost” accounts (created years ago and left inactive), and compromised legitimate accounts whose personal access tokens (PATs) or OAuth credentials have been exposed.
- Although most queries target public data and blend with normal API traffic, the aggregated activity enables threat actors to map an organization’s GitHub footprint and, in some cases, clone private repositories.
- The use of aged, low‑activity accounts helps evade detection by making malicious traffic appear benign.
- Organizations should enforce strict token hygiene, monitor anomalous API usage, limit unnecessary public exposure, and adopt anomaly‑detection controls to detect coordinated scraping across multiple accounts.
Overview of the Threat Activity
Datadog Security Labs issued a warning on July 9, 2026, detailing “several overlapping campaigns” that are conducting large‑scale reconnaissance of corporate GitHub footprints. The adversaries rely on automated scraping tooling that either masquerades as legitimate traffic through custom or innocuous‑sounding user agents or operates without authentication where the GitHub API permits it. By leveraging a combination of long‑dormant accounts and compromised credentials from legitimate users, the attackers can issue a high volume of API requests across many organizations while staying beneath typical anomaly‑detection thresholds.
Composition of the Attacker Toolkit
The campaign’s infrastructure consists of three main components: (1) purpose‑built or repurposed scanner scripts that iterate over GitHub endpoints, (2) over 50 “ghost” GitHub accounts that were created two to five years ago and deliberately left idle for extended periods, and (3) dozens of legitimate accounts whose personal access tokens (PATs) or OAuth tokens have been unintentionally leaked or otherwise compromised. The ghost accounts serve as low‑profile launchpads; because they exhibit minimal historical activity, their sudden surge of API calls does not trigger reputation‑based alerts. Compromised legitimate accounts, meanwhile, provide authenticated access that can bypass rate limits applied to unauthenticated requests, amplifying the attackers’ reach.
How Ghost Accounts Evade Detection
A notable tactic involves the deliberate aging of attacker‑controlled accounts. By creating accounts years in advance and allowing them to remain dormant, the operators ensure that any subsequent API traffic appears to originate from established, low‑risk profiles. When these accounts are finally weaponized, their request patterns blend with routine background noise—such as occasional repository checks or dependency look‑ups—making it difficult for static rule‑based systems to flag them as malicious. This “low‑and‑slow” approach also helps the attackers stay within GitHub’s per‑account rate limits while collectively generating a substantial volume of queries across numerous organizations.
Leveraging Compromised Tokens and OAuth Credentials
In addition to ghost accounts, the campaign exploits personal access tokens and OAuth tokens that have been inadvertently exposed—through public repositories, misconfigured CI/CD pipelines, or credential‑stealing malware. When a legitimate user’s token is compromised, the attacker can impersonate that user with full scope of permissions granted to the token, often including read access to private repositories and the ability to list organization members. Because the token appears valid and originates from a trusted account, the associated API calls succeed without raising immediate suspicion, further camouflaging the reconnaissance effort.
Specific API Enumeration Techniques Employed
The attackers systematically query a range of publicly accessible GitHub API endpoints to build a detailed map of target organizations. Commonly observed actions include: listing an organization’s public repositories, traversing a user’s followers and following lists, enumerating gists, starred repositories, and organization memberships, and executing GraphQL queries against public objects. Each of these calls returns JSON payloads that reveal relationships between users, projects, and contributions. By stitching together the data harvested from numerous accounts over weeks or months, the threat actors can reconstruct an organization’s internal development structure, identify key contributors, and pinpoint potentially valuable codebases.
Value of the Harvested Intelligence
The aggregated reconnaissance data enables attackers to conduct precise targeting. Knowing which repositories are public, which developers contribute to specific projects, and how individuals are interconnected within the GitHub social graph assists in crafting spear‑phishing campaigns, identifying weak points in dependency chains, or locating secrets inadvertently committed to code. In a subset of observed cases, the adversaries progressed beyond mere enumeration to actually clone private repositories belonging to a single organization. This transition indicates that the initial reconnaissance phase successfully identified high‑value targets, after which the attackers used the obtained credentials or exploited insufficient repository‑level protections to exfiltrate source code.
Challenges in Detecting the Campaign
Detecting this type of activity poses several difficulties. Individual API requests often appear benign: they hit public endpoints, may be unauthenticated or use valid tokens, and return successful HTTP 200 responses. Consequently, signature‑based or threshold‑alerting systems struggle to differentiate them from legitimate developer or CI/CD traffic. The distributed nature of the attack—spanning dozens of accounts, each issuing a modest number of requests—further dilutes any per‑account anomaly signal. Only by correlating activity across multiple accounts and observing temporal patterns (e.g., synchronized scanning over weeks) can security teams uncover the underlying campaign.
Recommendations for Defenders
Organizations should adopt a layered defense strategy to mitigate such enumeration and potential data‑exfiltration risks:
- Token Hygiene: Rotate PATs and OAuth credentials regularly, enforce least‑privilege scopes, and audit token usage via GitHub’s security logs.
- Monitoring Anomalous API Patterns: Deploy behavioral analytics that flag sudden increases in API calls from previously inactive accounts, cross‑account coordination, or unusual user‑agent strings.
- Limit Public Exposure: Review repository visibility settings, disable unnecessary public API endpoints where possible, and consider using GitHub’s Enterprise‑level IP allow‑listing for API access.
- Enforce MFA and Conditional Access: Require multi‑factor authentication for all accounts with API access and apply location‑ or device‑based conditional access policies to reduce the value of stolen tokens.
- Incident Response Playbooks: Develop procedures for investigating suspected token abuse, including token revocation, forensic review of cloned repositories, and notification of affected stakeholders.
Conclusion
The Datadog Security Labs alert underscores how adversaries are increasingly exploiting the openness of GitHub’s API to conduct stealthy, large‑scale reconnaissance. By combining aged ghost accounts with compromised credentials, threat actors can blend malicious traffic with legitimate usage, map organizational assets, and, in some cases, exfiltrate private code. While individual requests may evade traditional defenses, the coordinated, persistent nature of the campaign offers detectable signals when viewed through a holistic, behavior‑based lens. Proactive token management, vigilant API monitoring, and a zero‑trust stance toward service‑account credentials are essential steps for organizations seeking to safeguard their software supply chains against this evolving threat.

