Ghost Accounts Abuse GitHub API in Mass Recon Campaign

Ghost Accounts Abuse GitHub API in Mass Recon Campaign

Threat actors are abusing the GitHub API with dormant ghost accounts, leaked credentials, and automated scanners to enumerate organizations, repositories, and user accounts over several months. In some cases, the activity escalated from reconnaissance to cloning repositories and exfiltrating data from targeted organizations. #GitHubAPI #Datadog

Keypoints

  • Attackers are using the GitHub API to map public organizations, repositories, and user accounts.
  • More than 50 dormant ghost accounts have been involved since at least October 2025.
  • The activity blends into normal traffic by using user agents that mimic legitimate tools.
  • Some campaigns abused leaked tokens from real GitHub users to access private repository paths.
  • Datadog recommends audit log streaming, user-agent baselining, and targeted threat hunting.

Read More: https://www.securityweek.com/ghost-accounts-abuse-github-api-in-mass-recon-campaign/