Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
Dormant GitHub Accounts Aid Corporate Reconnaissance

Dormant GitHub Accounts Aid Corporate Reconnaissance

Posted on July 9, 2026 By CWS

Datadog Security Labs has identified multiple campaigns systematically analyzing corporate GitHub organizations, repositories, and user accounts via the GitHub API. This activity is facilitated by dormant accounts and compromised access tokens, posing a significant security concern.

Strategic Use of Dormant Accounts

Operators of these campaigns utilize automated scraping tools, employing user agents that mimic legitimate behavior. According to Julie Agnes Sparks, a senior security engineer at Datadog, these actors exploit GitHub ‘ghost’ accounts and compromised OAuth tokens or personal access tokens (PATs) from legitimate accounts. In some instances, the activity has escalated from public information gathering to the cloning of private repositories.

The dormant accounts, often inactive for two to five years, are strategically reactivated to conduct API traffic without raising suspicions. This approach contrasts with newly created accounts, which might attract scrutiny if used immediately for data scraping.

Techniques and Tools Employed

The campaigns make extensive use of GitHub’s API, which does not require authentication for a significant portion of its surface. As a result, attackers can execute queries that list public repositories, trace user connections, and enumerate various public data points, all while blending into normal API operations. Such queries include listing an organization’s public repositories, walking a user’s follower and following lists, and running GraphQL queries against public objects.

This information is valuable for threat actors conducting reconnaissance, allowing them to map an organization’s GitHub activity, including public repositories, member connections, and project involvement.

Implications for Organizations

Instances of unauthorized data access have been confirmed, with attackers successfully cloning a private repository from one organization. Datadog highlights that while individual requests may appear benign, the coordinated activity of multiple accounts across different organizations is concerning. The systematic use of custom tools and synchronized account actions over weeks can evolve from mere enumeration to potential theft of sensitive data.

The findings underscore the need for organizations to be vigilant about potential vulnerabilities within GitHub and the broader digital ecosystem. Monitoring for unusual account activities and securing access tokens are critical steps in mitigating these threats.

As cyber threats continue to evolve, it becomes imperative for companies to strengthen their security measures and remain informed about potential risks associated with dormant and compromised accounts.

The Hacker News Tags:API enumeration, API scraping, corporate reconnaissance, Cybersecurity, data privacy, Datadog Security, developer security, digital threats, ghost accounts, GitHub security, OAuth tokens, organizational mapping, private repositories, supply chain security, technology news

Post navigation

Previous Post: Microsoft’s AI Strategy Enhances Vulnerability Detection
Next Post: AI Aids Hacker in Swift 72-Hour AWS Cloud Breach

Related Posts

Researchers Uncover NodeCordRAT Hidden in npm Bitcoin-Themed Packages Researchers Uncover NodeCordRAT Hidden in npm Bitcoin-Themed Packages The Hacker News
Cybercriminals Deploy CORNFLAKE.V3 Backdoor via ClickFix Tactic and Fake CAPTCHA Pages Cybercriminals Deploy CORNFLAKE.V3 Backdoor via ClickFix Tactic and Fake CAPTCHA Pages The Hacker News
F5 Fixes Critical NGINX Vulnerabilities Allowing Code Execution F5 Fixes Critical NGINX Vulnerabilities Allowing Code Execution The Hacker News
Researchers Find VS Code Flaw Allowing Attackers to Republish Deleted Extensions Under Same Names Researchers Find VS Code Flaw Allowing Attackers to Republish Deleted Extensions Under Same Names The Hacker News
Automation Is Redefining Pentest Delivery Automation Is Redefining Pentest Delivery The Hacker News
Nine IP KVM Flaws Risk Unauthorized Root Access Nine IP KVM Flaws Risk Unauthorized Root Access The Hacker News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • AI Aids Hacker in Swift 72-Hour AWS Cloud Breach
  • Dormant GitHub Accounts Aid Corporate Reconnaissance
  • Microsoft’s AI Strategy Enhances Vulnerability Detection
  • Cloud Bucket Hijacking and Global Fraud: Key Cybersecurity Threats
  • AssuranceAmerica Data Breach Affects Millions’ Personal Data

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • AI Aids Hacker in Swift 72-Hour AWS Cloud Breach
  • Dormant GitHub Accounts Aid Corporate Reconnaissance
  • Microsoft’s AI Strategy Enhances Vulnerability Detection
  • Cloud Bucket Hijacking and Global Fraud: Key Cybersecurity Threats
  • AssuranceAmerica Data Breach Affects Millions’ Personal Data

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark