Dormant GitHub Accounts Help Attackers Blend In While Mapping Corporate Orgs

Dormant GitHub Accounts Help Attackers Blend In While Mapping Corporate Orgs
Datadog Security Labs says multiple overlapping campaigns are using the GitHub API to systematically enumerate organizations, repositories, and user accounts, often with dormant β€œghost” accounts or compromised tokens. In some cases, the activity moved beyond public data collection and included cloning a private repository, making the coordinated scraping effort more concerning. #GitHubAPI #DatadogSecurityLabs #ghostaccounts #OAuthtokens #PATs

Keypoints

  • Multiple campaigns are enumerating GitHub organizations, repositories, and users through the GitHub API.
  • Attackers use automated scraping tools with custom or legitimate-sounding user agents.
  • Dormant GitHub β€œghost” accounts and compromised OAuth tokens or PATs help hide the activity.
  • Some requests target public endpoints, but one campaign also cloned a private repository.
  • The activity can map organizational relationships, public repos, followers, memberships, and project activity.

Read More: https://thehackernews.com/2026/07/dormant-github-accounts-help-attackers.html