Cybersecurity firm Datadog has identified a systematic exploitation of the GitHub API by threat actors who are conducting extensive reconnaissance campaigns. These malicious activities involve the use of ghost accounts to map organizations, repositories, and user data.
Background of the Reconnaissance Campaigns
The campaign, which has been in operation for several months, leverages ghost accounts that have remained inactive since their creation two to five years ago. These accounts are now being used to orchestrate automated scanning operations, utilizing leaked credentials and networks of dormant accounts to gather information.
Datadog reports that the actors primarily target publicly accessible data on GitHub, which allows them to blend into regular traffic patterns. This activity includes cloning of discovered repositories, raising significant security concerns.
Technical Exploitation of GitHub API
A significant portion of the GitHub API can be accessed without authentication, enabling attackers to list public repositories, track user interactions, and run GraphQL queries. Such actions generate normal HTTP 200 responses, providing attackers with a means to map organizations and their projects without raising alarms.
Since October 2025, more than 50 ghost accounts have been observed sending API requests, often in bursts over periods of one to three weeks. These requests typically use user agents resembling data exfiltration tools, with a focus on GraphQL and REST routes.
Impact and Defensive Measures
While the primary goal of these campaigns is reconnaissance, there have been rare instances where attackers have managed to extract data from targeted organizations. In some cases, exposed tokens from legitimate accounts were used to access private repository commits.
To counter these threats, Datadog advises monitoring for unusual data exfiltration activities and scrutinizing user agent behaviors. They recommend enabling GitHub audit log streaming, establishing user agent baselines, and actively engaging in threat hunting to develop specific detection strategies.
Understanding normal operational patterns within an organization’s environment is crucial in identifying unauthorized activities, as emphasized by Datadog. They highlight the importance of proactive measures to safeguard against such API abuses.
Related articles discuss other cybersecurity challenges, including malware infections and phishing attacks targeting various platforms and organizations.
