Skip to content
Chimera readability score 78 out of 100, Expert reading level.

Threat actors are abusing the GitHub API to systematically enumerate organizations, repositories, and user accounts, Datadog reports.
Spanning multiple overlapping campaigns, the activity has been ongoing for several months, relying on ghost accounts that were registered two to five years ago but left dormant.
The activity, Datadog says, involves automated scanners, the abuse of leaked credentials, and coordinated networks of dormant accounts.
While the observed GitHub API requests are targeting publicly available data, blending with normal traffic, the continuous activity that in some cases escalated to the attackers cloning discovered repositories raises concern.
“A large share of GitHub’s API surface is reachable without authentication. Listing an organization’s public repositories, walking a user’s followers and following lists, enumerating gists, starred repos, and org memberships, and running GraphQL queries against public objects all return data,” Datadog explains.
Requests against these public paths generate HTTP 200 responses and no authentication failure signals. Through normal API traffic, an operator can use this to map an organization, its members, and the projects they access.
Since at least October 2025, over 50 ghost accounts have been used to send API traffic as part of the enumeration, usually in bursts of 1 to 3 weeks, across multiple organizations.
The accounts have been using user agents named to sound like data exfiltration, analytics, or dashboard tools. Most of the requests have been targeting GraphQL, while others have been aimed at REST routes.
“On its own, this enumeration rarely produces meaningful access inside an organization, rather it’s accomplishing reconnaissance,” Datadog notes.
One campaign was also seen using inadvertently exposed tokens from legitimate GitHub users, targeting private repository commit paths from dozens of legitimate accounts over a window of several minutes.
In rare cases, the attackers moved beyond reconnaissance and successfully exfiltrated data from the targeted organizations, Datadog says.
To detect this type of malicious activity, the cybersecurity firm notes, defenders should look for data exfiltration from private repositories, and should check logs for anomalous user agent behavior and for user agent naming and versioning in actions that reach private repositories.
“User agents, event activity, and actor names are vital clues to unauthorized activity in your environment. It’s important to know what normal looks like in your environment. We suggest enabling GitHub audit log streaming, baselining your user agents, proactively threat hunting, and developing detections unique to your GitHub organization,” Datadog notes.
Related: Network of 200 GitHub Repositories Used for Malware Infection
Related: China, India-Linked Hackers Both Targeted Same Pakistani Police Force
Related: Okta Warns of Vishing Attacks Targeting Microsoft 365 Customers

Facts Only

* Threat actors abuse the GitHub API for enumeration of organizations, repositories, and user accounts.
* Activity spans several months, relying on ghost accounts registered two to five years ago.
* The activity involves automated scanners, abuse of leaked credentials, and coordinated dormant account networks.
* Enumeration targets publicly available data by listing repositories, followers, gists, starred repos, and org memberships.
* Requests against public paths generate HTTP 200 responses without authentication failure signals.
* Over 50 ghost accounts have been used for API traffic since at least October 2025, in bursts of 1 to 3 weeks across multiple organizations.
* Accounts used user agents named to resemble data exfiltration or analytics tools.
* Activity often targeted GraphQL endpoints, with some requests targeting REST routes.
* In rare cases, attackers successfully exfiltrated data from targeted organizations.
* Defenders should look for data exfiltration from private repositories and anomalous user agent behavior.

Executive Summary

Threat actors are leveraging the GitHub API to systematically enumerate organizations, repositories, and user accounts through coordinated campaigns spanning several months. This activity relies on using ghost accounts that were registered two to five years prior but remained dormant. The enumeration process involves automated scanners, the misuse of leaked credentials, and networks of these dormant accounts. While many requests target publicly available data and blend with normal traffic, continuous activity has escalated in some instances to cloning discovered repositories. The API surface is largely reachable without authentication, allowing operators to map organizations, members, and accessed projects through normal API calls like listing public repositories or querying GraphQL endpoints.

Full Take

The observed pattern involves a sophisticated reconnaissance strategy leveraging the inherent visibility of public API surfaces combined with long-term dormant accounts. The core mechanism relies on exploiting the lack of authentication checks on many public endpoints to build organizational maps, which is a low-friction way to gather intelligence before escalating to higher-value actions like repository cloning or data exfiltration. The use of long-dormant, intentionally obfuscated accounts suggests an operational tempo designed for persistence rather than immediate, high-volume intrusion attempts. The escalation from simple enumeration (reconnaissance) to actual data theft implies that the initial mapping phase serves as a necessary prerequisite for establishing access paths into private systems. The recommendation for detection focuses on behavioral anomalies—specifically user agent naming and activity patterns—suggesting that surface-level access controls are insufficient against this type of persistent, low-and-slow threat. This suggests a paradigm shift where monitoring the *context* of legitimate API traffic (user agents, event sequences) is more critical than policing simple authentication failures to detect sophisticated enumeration chains. What other organizational or platform surfaces are being systematically mapped through these same public paths that require similar anomaly detection? How might defenders build baselines for "normal" user agent behavior across diverse organizational contexts to make this contextual analysis scalable?

Sentinel — Human

Confidence

The text reads like a factual summary derived from expert reporting, focusing on technical observations and security recommendations provided by a named vendor.

Signals Detected
low severity: Moderate sentence length variance; use of technical jargon mixed with explanatory phrasing.
low severity: Logical flow from problem statement (abuse) to method (enumeration) to mitigation (detection).
low severity: Attribution is specific ('Datadog reports,' 'Datadog explains') and integrates technical findings naturally.
low severity: Specific details regarding API paths, HTTP codes, and agent naming suggest direct sourcing rather than pure fabrication.
Human Indicators
Use of direct quotes from a named entity (Datadog) to support technical claims.
The tone shifts appropriately between reporting an observation and providing recommended defense strategies.
Ghost Accounts Abuse GitHub API in Mass Recon Campaign — Arc Codex