Datadog Security Labs has identified multiple coordinated campaigns targeting corporate GitHub environments through systematic reconnaissance attacks. The threat actors use automated scraping tools to enumerate GitHub organizations, repositories, and user accounts via the GitHub API, exploiting dormant "ghost" accounts that often remain inactive for years.
The attackers leverage several techniques to evade detection. They employ custom or legitimate-sounding user agents to mask their scraping activity. More significantly, they operate through aged GitHub accounts that show minimal activity history, making them blend seamlessly into normal platform traffic. Some campaigns also use compromised OAuth tokens and personal access tokens stolen from legitimate users, further obscuring their identity.
This reconnaissance phase represents the initial stage of a multi-step attack chain. By mapping corporate GitHub organizations and their repositories, threat actors identify valuable targets, sensitive code, hardcoded credentials, and organizational structure. This intelligence enables follow-up attacks such as credential theft, supply chain compromises, or targeted malware deployment.
The technique exploits a fundamental challenge for GitHub's abuse detection systems. Legitimate developers constantly query the API for repository management, access control audits, and integrations. Distinguishing automated reconnaissance from benign API usage requires behavioral analysis and context awareness that older, dormant accounts help circumvent.
Organizations should implement several protective measures. Enable GitHub's secret scanning to detect exposed credentials before attackers weaponize them. Restrict API access through organization-level policies and enforce strong personal access token controls. Monitor API activity for suspicious patterns, particularly from accounts with minimal recent history or unusual geographic origins. Conduct regular audits of OAuth applications with repository access.
The campaign underscores how attackers exploit the infrastructure intended for legitimate automation and integration. GitHub's open nature and rich API, while valuable for developers, create opportunities for patient reconnaissance. Threat actors operating through aged accounts count on security teams overlooking activity from accounts that appear dormant or insignificant, making pro
