Datadog researchers have flagged overlapping, months-long campaigns that abuse GitHub's public API and lean on more than 50 dormant "ghost" accounts, reactivated after two to five years of inactivity, to map organizations and the people who work in them. Some of the same operations also cloned private repositories, took over user tokens and pulled data out through both Git and the API.
The mechanism, per Datadog's Julie Agnes Sparks: "Individually, most of these requests are unremarkable. They hit public endpoints, authenticate cleanly or not at all, and return successful responses." That is what makes them expensive to spot. Public endpoints hand over organization members, public repositories, starred repositories and follower lists to any caller; both GraphQL and REST are in scope. Ghost accounts light up for one to three weeks at a time, and the user-agent strings walk the line: "GitHub-Company-Scraper" at one end, benign-sounding "GitHubAnalytics/1.5" at the other. One campaign leaned on personal access tokens stolen during a December to January window. A separate agent labelled "repo-dumper" used tokens like those to clone private repositories over Git and to pull the rest through API calls.
Where the operational bite lands
Most of this activity looks like traffic you asked for. GitHub carries 420 million-plus repositories and 150 million-plus developers, and abusive calls sit inside that firehose. Datadog puts 95% of malicious Git campaigns at GitHub and 5% at GitLab, with 58% of the campaigns ending in credential phishing and 42% in malware. The recon step is what turns a scraped org chart into a targeted phish or a stolen PAT that gets to CI.
The controls that help are already in the platform. Set organization member visibility to private so the enumeration endpoints stop being a free directory. Rotate personal access tokens on a hard TTL, and prefer fine-grained or short-lived tokens over classic PATs for anything that touches a pipeline. Watch the audit log for unfamiliar user agents and for API patterns that only hit public endpoints. Rate-limit unauthenticated calls at the perimeter where you can.
None of that stops a dormant account from lighting up next week. It shortens the window between the recon traffic and the first alert, which is the window a defender actually gets to work in.
Top comments (0)