Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
Ghost Accounts Exploit GitHub API in Major Reconnaissance Effort

Ghost Accounts Exploit GitHub API in Major Reconnaissance Effort

Posted on July 11, 2026 By CWS

Cybersecurity firm Datadog has identified a systematic exploitation of the GitHub API by threat actors who are conducting extensive reconnaissance campaigns. These malicious activities involve the use of ghost accounts to map organizations, repositories, and user data.

Background of the Reconnaissance Campaigns

The campaign, which has been in operation for several months, leverages ghost accounts that have remained inactive since their creation two to five years ago. These accounts are now being used to orchestrate automated scanning operations, utilizing leaked credentials and networks of dormant accounts to gather information.

Datadog reports that the actors primarily target publicly accessible data on GitHub, which allows them to blend into regular traffic patterns. This activity includes cloning of discovered repositories, raising significant security concerns.

Technical Exploitation of GitHub API

A significant portion of the GitHub API can be accessed without authentication, enabling attackers to list public repositories, track user interactions, and run GraphQL queries. Such actions generate normal HTTP 200 responses, providing attackers with a means to map organizations and their projects without raising alarms.

Since October 2025, more than 50 ghost accounts have been observed sending API requests, often in bursts over periods of one to three weeks. These requests typically use user agents resembling data exfiltration tools, with a focus on GraphQL and REST routes.

Impact and Defensive Measures

While the primary goal of these campaigns is reconnaissance, there have been rare instances where attackers have managed to extract data from targeted organizations. In some cases, exposed tokens from legitimate accounts were used to access private repository commits.

To counter these threats, Datadog advises monitoring for unusual data exfiltration activities and scrutinizing user agent behaviors. They recommend enabling GitHub audit log streaming, establishing user agent baselines, and actively engaging in threat hunting to develop specific detection strategies.

Understanding normal operational patterns within an organization’s environment is crucial in identifying unauthorized activities, as emphasized by Datadog. They highlight the importance of proactive measures to safeguard against such API abuses.

Related articles discuss other cybersecurity challenges, including malware infections and phishing attacks targeting various platforms and organizations.

Security Week News Tags:API abuse, cyber threats, Cybersecurity, data exfiltration, Datadog, ghost accounts, GitHub, GraphQL, Reconnaissance, REST routes

Post navigation

Previous Post: MacOS Screen Sharing Issue in Microsoft Teams
Next Post: Ghostcommit Exploit Hides Malicious Code in Images

Related Posts

CISA Confirms Exploitation of Recent Oracle Identity Manager Vulnerability CISA Confirms Exploitation of Recent Oracle Identity Manager Vulnerability Security Week News
Cityworks Zero-Day Exploited by Chinese Hackers in US Local Government Attacks Cityworks Zero-Day Exploited by Chinese Hackers in US Local Government Attacks Security Week News
NIST Updates CVE Enrichment Process for Critical Software NIST Updates CVE Enrichment Process for Critical Software Security Week News
The Importance of Context in Agentic AI Security The Importance of Context in Agentic AI Security Security Week News
Notepad++ Supply Chain Hack Conducted by China via Hosting Provider Notepad++ Supply Chain Hack Conducted by China via Hosting Provider Security Week News
Dream Secures 0 Million, Reaches  Billion Valuation Dream Secures $260 Million, Reaches $3 Billion Valuation Security Week News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • Ghostcommit Exploit Hides Malicious Code in Images
  • Ghost Accounts Exploit GitHub API in Major Reconnaissance Effort
  • MacOS Screen Sharing Issue in Microsoft Teams
  • Zimbra Security Update Urges Users to Patch Critical Flaw
  • Security Issues Found in Popular Android VPN Apps

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • Ghostcommit Exploit Hides Malicious Code in Images
  • Ghost Accounts Exploit GitHub API in Major Reconnaissance Effort
  • MacOS Screen Sharing Issue in Microsoft Teams
  • Zimbra Security Update Urges Users to Patch Critical Flaw
  • Security Issues Found in Popular Android VPN Apps

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark