Dormant GitHub Accounts Fuel Large-Scale API Enumeration Campaigns Targeting Organizations
Security researchers have uncovered coordinated GitHub API abuse involving dormant "ghost" accounts, stolen access tokens, and custom scraping tools used to map organizations and, in some cases, access private repositories.
Xcademia Team
Xcademia Research Team

Dormant GitHub Accounts Fuel Large-Scale API Enumeration Campaigns Targeting Organizations
GitHub organizations are facing a growing threat from coordinated reconnaissance campaigns that blend legitimate API usage with malicious intent. New research from Datadog Security Labs reveals that attackers are leveraging dormant GitHub accounts, compromised access tokens, and custom-built scraping tools to systematically map organizations, profile employees, and in some cases gain access to private repositories.
The activity, which has been observed since late 2025, demonstrates how threat actors can exploit GitHub's public-facing API ecosystem to collect intelligence while remaining largely invisible to traditional security monitoring.
A New Wave of GitHub Reconnaissance
According to Datadog Security Labs, multiple threat clusters have been conducting large-scale GitHub API enumeration campaigns across numerous organizations. Rather than relying on obvious attacks, these actors use legitimate GitHub functionality to gather intelligence.
Most requests target publicly available information such as:
Organization repositories
User profiles
Followers and following relationships
Gists and starred repositories
Organization memberships
Repository metadata
GraphQL data queries
Because this information is publicly accessible, requests often return successful HTTP 200 responses, generating little to no security alerts.
Attackers can build detailed organizational maps without triggering failed authentication events or traditional intrusion detection systems.
How the Attack Chain Works
The campaigns generally follow a multi-stage process:
Create or acquire trusted-looking GitHub accounts
Enumerate organizations using GitHub APIs
Identify employees and repository relationships
Search for exposed credentials or compromised tokens
Test access against private repositories
Attempt repository cloning or data exfiltration
This progression allows attackers to move from reconnaissance to potential compromise while blending into normal API activity.

The Rise of Dormant "Ghost" Accounts
One of the most notable findings involves the use of dormant GitHub accounts, commonly referred to as "ghost accounts."
These accounts were often:
Created between two and five years ago
Left inactive for extended periods
Reactivated suddenly for reconnaissance campaigns
Used across multiple organizations simultaneously
Researchers confirmed more than 50 such accounts participating in coordinated enumeration activities.
Examples included naming patterns such as:
amazon-data-*
BirdWithDreams
BirdWithPlan
kuku-orb
lolo-orb
lulu-orb
ruru-orb
user432023
user412023
Older accounts appear more trustworthy than newly created profiles, making them useful for large-scale reconnaissance operations.
Many of these accounts operated for only one to three weeks before disappearing.
Custom Scraping Infrastructure
The campaigns relied on specialized tools and suspicious user agents designed either to advertise their function or disguise it.
Observed user agents included:
GitHub-Company-Scraper
GitHub-Scraper-Tool/1.0
GitHubAnalytics/1.5
GitHubDashboard/1.8
GitHub-Repo-Crawler/1.0
GitHub-Commit-Fetcher
GitHub-Event-Fetcher
repo-dumper
Some names openly suggested scraping functionality, while others attempted to resemble legitimate analytics platforms.
Researchers observed heavy usage of GitHub's GraphQL endpoint, which allows attackers to efficiently query large amounts of organizational and repository data in a single request.
Compromised Tokens Expand Access
Beyond reconnaissance, Datadog identified campaigns leveraging stolen GitHub credentials.
Attackers abused:
OAuth access tokens
Personal Access Tokens (PATs)
Fine-grained PATs
Previously leaked credentials
Many compromised tokens originated from:
Public code repositories
Developer mistakes
Endpoint compromises
Credential exposure incidents
Between December 2025 and January 2026, researchers tracked a campaign using multiple versions of custom tools, including:
GitHub-Commit-Fetcher/1.3
GitHub-Commit-Fetcher/1.4
GitHub-Event-Fetcher/2.2
The campaign repeatedly used compromised accounts to target private repository commit paths across organizations.
Although many access attempts failed, the activity demonstrated a clear progression from reconnaissance to exploitation.

From Enumeration to Data Exfiltration
Most observed activity focused on information gathering. However, Datadog documented at least one case where attackers successfully crossed into private repository access.
Researchers identified a tool called repo-dumper performing actions within a private repository.
Audit logs recorded:
git.clone events
API requests to private repository paths
Successful repository interactions
Evidence of data access
Importantly, the GitHub accounts involved had previously appeared in unsuccessful reconnaissance activity, suggesting a gradual escalation strategy.
This finding highlights how seemingly harmless public-data enumeration can eventually evolve into successful compromise.
Why Detection Is Challenging
Traditional security monitoring often focuses on:
Failed logins
Authentication anomalies
Malware execution
Unauthorized access attempts
GitHub enumeration campaigns bypass many of these indicators because they rely heavily on legitimate API functionality.
Challenges include:
Successful HTTP responses
Public data access
Minimal authentication failures
Legitimate API endpoints
Distributed infrastructure
As a result, organizations must shift toward behavioral monitoring rather than relying solely on authentication alerts.
Key Indicators Security Teams Should Monitor
Datadog recommends monitoring GitHub audit logs for:
Suspicious User Agents
Look for:
Fake version strings
Unknown automation tools
Scraper-like naming conventions
Analytics-themed tools with unusual behavior
Programmatic Access Types
Monitor usage involving:
OAuth applications
Classic PATs
Fine-grained PATs
Private Repository Activity
Pay special attention to:
git.clone events
repo.download_zip actions
API requests against private repositories
Sudden access by unfamiliar accounts
Infrastructure Correlation
Researchers linked some activity to hosting providers associated with prior abuse reports, including:
cherryservers.com
3xktech.cloud

Defensive Recommendations
Organizations can reduce risk by implementing several defensive measures:
Enable GitHub Audit Log Streaming
Comprehensive audit logging provides visibility into API activity, repository access, and token usage.
Establish Behavioral Baselines
Understand normal:
User agents
Access patterns
API request volumes
Repository interactions
This makes anomalies easier to detect.
Protect Access Tokens
Organizations should:
Rotate tokens regularly
Use fine-grained permissions
Scan repositories for exposed secrets
Revoke unused credentials
Conduct Proactive Threat Hunting
Regularly search for:
Suspicious automation
Unusual GraphQL activity
Unexpected repository cloning
Access from unfamiliar actors
Monitor Private Resource Access
Successful access to private repositories should be treated as a high-priority security event.
Final Thoughts
The GitHub ecosystem remains a valuable target for threat actors seeking intelligence, credentials, and source code. Datadog's findings show that attackers are increasingly combining dormant accounts, compromised tokens, and custom API tooling to conduct long-term reconnaissance campaigns that can eventually lead to repository compromise.
What makes these operations particularly dangerous is their ability to hide within normal GitHub traffic. Since much of the activity relies on legitimate APIs and publicly accessible data, organizations must adopt behavioral analytics, continuous monitoring, and proactive threat hunting to identify malicious patterns before reconnaissance turns into data theft.
As software supply chain attacks continue to evolve, visibility into GitHub activity is becoming just as important as monitoring traditional endpoint and network security controls.
Source: Datadog Security Labs
About the Author