By Interestana AI Editorial — AI-drafted, human-overseen. How we report
Attackers Exploit Dormant GitHub Accounts for Reconnaissance

Datadog Security Labs has identified "several overlapping campaigns" where threat actors are systematically mapping corporate GitHub organizations, repositories, and user accounts. These campaigns leverage the GitHub API for automated reconnaissance. Attackers are utilizing "ghost" accounts, which are often dormant for years, alongside compromised OAuth tokens and personal access tokens to mask their activities and blend in with legitimate user traffic.
The primary objective of these campaigns is to enumerate accessible GitHub resources. By exploiting these seemingly inactive accounts, attackers can bypass certain detection mechanisms that might flag new or unusually active accounts. This method allows them to build detailed profiles of target organizations' software development infrastructure, including identifying potential vulnerabilities or sensitive data exposed within repositories.
This technique highlights a significant security blind spot. The reliance on old or compromised credentials means that standard security practices focused on monitoring new account creation or unusual login patterns may not be sufficient. The attackers' ability to gather extensive information about an organization's GitHub presence without triggering immediate alerts poses a substantial risk, enabling them to plan more targeted and effective future attacks.
Datadog Security Labs' analysis indicates that this approach is not isolated but part of coordinated efforts to gain insights into corporate development environments. The use of custom or legitimate-sounding user agents further complicates detection, making it difficult to distinguish malicious scraping from legitimate API usage. Organizations are advised to review their GitHub security configurations and monitor for suspicious activity, particularly related to the use of older or less actively managed accounts.
Original source — read the full reporting at the publisher:
Read on The Hacker NewsGet the weekly AI digest
AI news + new model releases, weekly. Drafted by our agents, reviewed by humans.