cybersecurity

Dormant GitHub Accounts Fuel Large-Scale API Enumeration Campaigns Targeting Organizations

Security researchers have uncovered coordinated GitHub API abuse involving dormant "ghost" accounts, stolen access tokens, and custom scraping tools used to map organizations and, in some cases, access private repositories.

Xcademia Team

Xcademia Research Team

Jul 10, 20265 min read1 views
Share:
Dormant GitHub Accounts Fuel Large-Scale API Enumeration Campaigns Targeting Organizations

Dormant GitHub Accounts Fuel Large-Scale API Enumeration Campaigns Targeting Organizations

GitHub organizations are facing a growing threat from coordinated reconnaissance campaigns that blend legitimate API usage with malicious intent. New research from Datadog Security Labs reveals that attackers are leveraging dormant GitHub accounts, compromised access tokens, and custom-built scraping tools to systematically map organizations, profile employees, and in some cases gain access to private repositories.

The activity, which has been observed since late 2025, demonstrates how threat actors can exploit GitHub's public-facing API ecosystem to collect intelligence while remaining largely invisible to traditional security monitoring.

A New Wave of GitHub Reconnaissance

According to Datadog Security Labs, multiple threat clusters have been conducting large-scale GitHub API enumeration campaigns across numerous organizations. Rather than relying on obvious attacks, these actors use legitimate GitHub functionality to gather intelligence.

Most requests target publicly available information such as:

  • Organization repositories

  • User profiles

  • Followers and following relationships

  • Gists and starred repositories

  • Organization memberships

  • Repository metadata

  • GraphQL data queries

Because this information is publicly accessible, requests often return successful HTTP 200 responses, generating little to no security alerts.

Attackers can build detailed organizational maps without triggering failed authentication events or traditional intrusion detection systems.

How the Attack Chain Works

The campaigns generally follow a multi-stage process:

  1. Create or acquire trusted-looking GitHub accounts

  2. Enumerate organizations using GitHub APIs

  3. Identify employees and repository relationships

  4. Search for exposed credentials or compromised tokens

  5. Test access against private repositories

  6. Attempt repository cloning or data exfiltration

This progression allows attackers to move from reconnaissance to potential compromise while blending into normal API activity.

info-1

The Rise of Dormant "Ghost" Accounts

One of the most notable findings involves the use of dormant GitHub accounts, commonly referred to as "ghost accounts."

These accounts were often:

  • Created between two and five years ago

  • Left inactive for extended periods

  • Reactivated suddenly for reconnaissance campaigns

  • Used across multiple organizations simultaneously

Researchers confirmed more than 50 such accounts participating in coordinated enumeration activities.

Examples included naming patterns such as:

  • amazon-data-*

  • BirdWithDreams

  • BirdWithPlan

  • kuku-orb

  • lolo-orb

  • lulu-orb

  • ruru-orb

  • user432023

  • user412023

Older accounts appear more trustworthy than newly created profiles, making them useful for large-scale reconnaissance operations.

Many of these accounts operated for only one to three weeks before disappearing.

Custom Scraping Infrastructure

The campaigns relied on specialized tools and suspicious user agents designed either to advertise their function or disguise it.

Observed user agents included:

  • GitHub-Company-Scraper

  • GitHub-Scraper-Tool/1.0

  • GitHubAnalytics/1.5

  • GitHubDashboard/1.8

  • GitHub-Repo-Crawler/1.0

  • GitHub-Commit-Fetcher

  • GitHub-Event-Fetcher

  • repo-dumper

Some names openly suggested scraping functionality, while others attempted to resemble legitimate analytics platforms.

Researchers observed heavy usage of GitHub's GraphQL endpoint, which allows attackers to efficiently query large amounts of organizational and repository data in a single request.

Compromised Tokens Expand Access

Beyond reconnaissance, Datadog identified campaigns leveraging stolen GitHub credentials.

Attackers abused:

  • OAuth access tokens

  • Personal Access Tokens (PATs)

  • Fine-grained PATs

  • Previously leaked credentials

Many compromised tokens originated from:

  • Public code repositories

  • Developer mistakes

  • Endpoint compromises

  • Credential exposure incidents

Between December 2025 and January 2026, researchers tracked a campaign using multiple versions of custom tools, including:

  • GitHub-Commit-Fetcher/1.3

  • GitHub-Commit-Fetcher/1.4

  • GitHub-Event-Fetcher/2.2

The campaign repeatedly used compromised accounts to target private repository commit paths across organizations.

Although many access attempts failed, the activity demonstrated a clear progression from reconnaissance to exploitation.

info-2

From Enumeration to Data Exfiltration

Most observed activity focused on information gathering. However, Datadog documented at least one case where attackers successfully crossed into private repository access.

Researchers identified a tool called repo-dumper performing actions within a private repository.

Audit logs recorded:

  • git.clone events

  • API requests to private repository paths

  • Successful repository interactions

  • Evidence of data access

Importantly, the GitHub accounts involved had previously appeared in unsuccessful reconnaissance activity, suggesting a gradual escalation strategy.

This finding highlights how seemingly harmless public-data enumeration can eventually evolve into successful compromise.

Why Detection Is Challenging

Traditional security monitoring often focuses on:

  • Failed logins

  • Authentication anomalies

  • Malware execution

  • Unauthorized access attempts

GitHub enumeration campaigns bypass many of these indicators because they rely heavily on legitimate API functionality.

Challenges include:

  • Successful HTTP responses

  • Public data access

  • Minimal authentication failures

  • Legitimate API endpoints

  • Distributed infrastructure

As a result, organizations must shift toward behavioral monitoring rather than relying solely on authentication alerts.

Key Indicators Security Teams Should Monitor

Datadog recommends monitoring GitHub audit logs for:

Suspicious User Agents

Look for:

  • Fake version strings

  • Unknown automation tools

  • Scraper-like naming conventions

  • Analytics-themed tools with unusual behavior

Programmatic Access Types

Monitor usage involving:

  • OAuth applications

  • Classic PATs

  • Fine-grained PATs

Private Repository Activity

Pay special attention to:

  • git.clone events

  • repo.download_zip actions

  • API requests against private repositories

  • Sudden access by unfamiliar accounts

Infrastructure Correlation

Researchers linked some activity to hosting providers associated with prior abuse reports, including:

  • cherryservers.com

  • 3xktech.cloud

info-3

Defensive Recommendations

Organizations can reduce risk by implementing several defensive measures:

Enable GitHub Audit Log Streaming

Comprehensive audit logging provides visibility into API activity, repository access, and token usage.

Establish Behavioral Baselines

Understand normal:

  • User agents

  • Access patterns

  • API request volumes

  • Repository interactions

This makes anomalies easier to detect.

Protect Access Tokens

Organizations should:

  • Rotate tokens regularly

  • Use fine-grained permissions

  • Scan repositories for exposed secrets

  • Revoke unused credentials

Conduct Proactive Threat Hunting

Regularly search for:

  • Suspicious automation

  • Unusual GraphQL activity

  • Unexpected repository cloning

  • Access from unfamiliar actors

Monitor Private Resource Access

Successful access to private repositories should be treated as a high-priority security event.

Final Thoughts

The GitHub ecosystem remains a valuable target for threat actors seeking intelligence, credentials, and source code. Datadog's findings show that attackers are increasingly combining dormant accounts, compromised tokens, and custom API tooling to conduct long-term reconnaissance campaigns that can eventually lead to repository compromise.

What makes these operations particularly dangerous is their ability to hide within normal GitHub traffic. Since much of the activity relies on legitimate APIs and publicly accessible data, organizations must adopt behavioral analytics, continuous monitoring, and proactive threat hunting to identify malicious patterns before reconnaissance turns into data theft.

As software supply chain attacks continue to evolve, visibility into GitHub activity is becoming just as important as monitoring traditional endpoint and network security controls.

#GitHubSecurity#ThreatIntelligence#CyberSecurity#DataExfiltration#OAuthSecurity#SupplyChainSecurity#GitHubAPI#ThreatHunting

About the Author

X
Xcademia Team
Xcademia Research Team
Share:
Learn to stop attacks like this oneCybersecurity Engineer Bootcamp: live cohorts enrolling now, Career+ support included.