Threat actors are abusing the GitHub API to systematically enumerate organizations, repositories, and user accounts, Datadog reports.
Spanning multiple overlapping campaigns, the activity has been ongoing for several months, relying on ghost accounts that were registered two to five years ago but left dormant.
The activity, Datadog says, involves automated scanners, the abuse of leaked credentials, and coordinated networks of dormant accounts.
While the observed GitHub API requests are targeting publicly available data, blending with normal traffic, the continuous activity that in some cases escalated to the attackers cloning discovered repositories raises concern.
“A large share of GitHub’s API surface is reachable without authentication. Listing an organization’s public repositories, walking a user’s followers and following lists, enumerating gists, starred repos, and org memberships, and running GraphQL queries against public objects all return data,” Datadog explains.
Requests against these public paths generate HTTP 200 responses and no authentication failure signals. Through normal API traffic, an operator can use this to map an organization, its members, and the projects they access.
Since at least October 2025, over 50 ghost accounts have been used to send API traffic as part of the enumeration, usually in bursts of 1 to 3 weeks, across multiple organizations.
The accounts have been using user agents named to sound like data exfiltration, analytics, or dashboard tools. Most of the requests have been targeting GraphQL, while others have been aimed at REST routes.
“On its own, this enumeration rarely produces meaningful access inside an organization, rather it’s accomplishing reconnaissance,” Datadog notes.
One campaign was also seen using inadvertently exposed tokens from legitimate GitHub users, targeting private repository commit paths from dozens of legitimate accounts over a window of several minutes.
In rare cases, the attackers moved beyond reconnaissance and successfully exfiltrated data from the targeted organizations, Datadog says.
To detect this type of malicious activity, the cybersecurity firm notes, defenders should look for data exfiltration from private repositories, and should check logs for anomalous user agent behavior and for user agent naming and versioning in actions that reach private repositories.
“User agents, event activity, and actor names are vital clues to unauthorized activity in your environment. It’s important to know what normal looks like in your environment. We suggest enabling GitHub audit log streaming, baselining your user agents, proactively threat hunting, and developing detections unique to your GitHub organization,” Datadog notes.
Related: Network of 200 GitHub Repositories Used for Malware Infection
Related: China, India-Linked Hackers Both Targeted Same Pakistani Police Force
Related: Okta Warns of Vishing Attacks Targeting Microsoft 365 Customers
Facts Only
* Threat actors abuse the GitHub API for enumeration of organizations, repositories, and user accounts.
* Activity spans several months, relying on ghost accounts registered two to five years ago.
* The activity involves automated scanners, abuse of leaked credentials, and coordinated dormant account networks.
* Enumeration targets publicly available data by listing repositories, followers, gists, starred repos, and org memberships.
* Requests against public paths generate HTTP 200 responses without authentication failure signals.
* Over 50 ghost accounts have been used for API traffic since at least October 2025, in bursts of 1 to 3 weeks across multiple organizations.
* Accounts used user agents named to resemble data exfiltration or analytics tools.
* Activity often targeted GraphQL endpoints, with some requests targeting REST routes.
* In rare cases, attackers successfully exfiltrated data from targeted organizations.
* Defenders should look for data exfiltration from private repositories and anomalous user agent behavior.
Executive Summary
Full Take
Sentinel — Human
The text reads like a factual summary derived from expert reporting, focusing on technical observations and security recommendations provided by a named vendor.
