Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
Ghost Accounts Exploit GitHub API in Major Reconnaissance Effort

Ghost Accounts Exploit GitHub API in Major Reconnaissance Effort

Posted on July 11, 2026 By CWS

Cybersecurity firm Datadog has identified a systematic exploitation of the GitHub API by threat actors who are conducting extensive reconnaissance campaigns. These malicious activities involve the use of ghost accounts to map organizations, repositories, and user data.

Background of the Reconnaissance Campaigns

The campaign, which has been in operation for several months, leverages ghost accounts that have remained inactive since their creation two to five years ago. These accounts are now being used to orchestrate automated scanning operations, utilizing leaked credentials and networks of dormant accounts to gather information.

Datadog reports that the actors primarily target publicly accessible data on GitHub, which allows them to blend into regular traffic patterns. This activity includes cloning of discovered repositories, raising significant security concerns.

Technical Exploitation of GitHub API

A significant portion of the GitHub API can be accessed without authentication, enabling attackers to list public repositories, track user interactions, and run GraphQL queries. Such actions generate normal HTTP 200 responses, providing attackers with a means to map organizations and their projects without raising alarms.

Since October 2025, more than 50 ghost accounts have been observed sending API requests, often in bursts over periods of one to three weeks. These requests typically use user agents resembling data exfiltration tools, with a focus on GraphQL and REST routes.

Impact and Defensive Measures

While the primary goal of these campaigns is reconnaissance, there have been rare instances where attackers have managed to extract data from targeted organizations. In some cases, exposed tokens from legitimate accounts were used to access private repository commits.

To counter these threats, Datadog advises monitoring for unusual data exfiltration activities and scrutinizing user agent behaviors. They recommend enabling GitHub audit log streaming, establishing user agent baselines, and actively engaging in threat hunting to develop specific detection strategies.

Understanding normal operational patterns within an organization’s environment is crucial in identifying unauthorized activities, as emphasized by Datadog. They highlight the importance of proactive measures to safeguard against such API abuses.

Related articles discuss other cybersecurity challenges, including malware infections and phishing attacks targeting various platforms and organizations.

Security Week News Tags:API abuse, cyber threats, Cybersecurity, data exfiltration, Datadog, ghost accounts, GitHub, GraphQL, Reconnaissance, REST routes

Post navigation

Previous Post: MacOS Screen Sharing Issue in Microsoft Teams
Next Post: Ghostcommit Exploit Hides Malicious Code in Images

Related Posts

The Y2K38 Bug Is a Vulnerability, Not Just a Date Problem, Researchers Warn The Y2K38 Bug Is a Vulnerability, Not Just a Date Problem, Researchers Warn Security Week News
Victoria’s Secret Website Taken Offline After Cyberattack Victoria’s Secret Website Taken Offline After Cyberattack Security Week News
AI Sidebar Spoofing Puts ChatGPT Atlas, Perplexity Comet and Other Browsers at Risk AI Sidebar Spoofing Puts ChatGPT Atlas, Perplexity Comet and Other Browsers at Risk Security Week News
Gemini CLI Flaw Risked Severe Supply Chain Attack Gemini CLI Flaw Risked Severe Supply Chain Attack Security Week News
480,000 Catholic Health Patients Impacted by Serviceaide Data Leak 480,000 Catholic Health Patients Impacted by Serviceaide Data Leak Security Week News
Chrome, Edge Extensions Caught Tracking Users, Creating Backdoors Chrome, Edge Extensions Caught Tracking Users, Creating Backdoors Security Week News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • Compromised jscrambler npm Package Drops Infostealer
  • Ghostcommit Exploit Hides Malicious Code in Images
  • Ghost Accounts Exploit GitHub API in Major Reconnaissance Effort
  • MacOS Screen Sharing Issue in Microsoft Teams
  • Zimbra Security Update Urges Users to Patch Critical Flaw

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • Compromised jscrambler npm Package Drops Infostealer
  • Ghostcommit Exploit Hides Malicious Code in Images
  • Ghost Accounts Exploit GitHub API in Major Reconnaissance Effort
  • MacOS Screen Sharing Issue in Microsoft Teams
  • Zimbra Security Update Urges Users to Patch Critical Flaw

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark