Datadog Security Labs says multiple overlapping campaigns are using the GitHub API to systematically enumerate organizations, repositories, and user accounts, often with dormant βghostβ accounts or compromised tokens. In some cases, the activity moved beyond public data collection and included cloning a private repository, making the coordinated scraping effort more concerning. #GitHubAPI #DatadogSecurityLabs #ghostaccounts #OAuthtokens #PATs
Keypoints
- Multiple campaigns are enumerating GitHub organizations, repositories, and users through the GitHub API.
- Attackers use automated scraping tools with custom or legitimate-sounding user agents.
- Dormant GitHub βghostβ accounts and compromised OAuth tokens or PATs help hide the activity.
- Some requests target public endpoints, but one campaign also cloned a private repository.
- The activity can map organizational relationships, public repos, followers, memberships, and project activity.
Read More: https://thehackernews.com/2026/07/dormant-github-accounts-help-attackers.html