Menace actors are abusing the GitHub API to systematically enumerate organizations, repositories, and person accounts, Datadog reviews.
Spanning a number of overlapping campaigns, the exercise has been ongoing for a number of months, counting on ghost accounts that had been registered two to 5 years in the past however left dormant.
The exercise, Datadog says, entails automated scanners, the abuse of leaked credentials, and coordinated networks of dormant accounts.
Whereas the noticed GitHub API requests are concentrating on publicly out there knowledge, mixing with regular visitors, the continual exercise that in some instances escalated to the attackers cloning found repositories raises concern.
“A big share of GitHub’s API floor is reachable with out authentication. Itemizing a company’s public repositories, strolling a person’s followers and following lists, enumerating gists, starred repos, and org memberships, and working GraphQL queries in opposition to public objects all return knowledge,” Datadog explains.
Requests in opposition to these public paths generate HTTP 200 responses and no authentication failure alerts. Via regular API visitors, an operator can use this to map a company, its members, and the tasks they entry.
Since not less than October 2025, over 50 ghost accounts have been used to ship API visitors as a part of the enumeration, normally in bursts of 1 to three weeks, throughout a number of organizations.
The accounts have been utilizing person brokers named to sound like knowledge exfiltration, analytics, or dashboard instruments. Many of the requests have been concentrating on GraphQL, whereas others have been geared toward REST routes.
“By itself, this enumeration not often produces significant entry inside a company, relatively it’s carrying out reconnaissance,” Datadog notes.
One marketing campaign was additionally seen utilizing inadvertently uncovered tokens from professional GitHub customers, concentrating on personal repository commit paths from dozens of professional accounts over a window of a number of minutes.
In uncommon instances, the attackers moved past reconnaissance and efficiently exfiltrated knowledge from the focused organizations, Datadog says.
To detect such a malicious exercise, the cybersecurity agency notes, defenders ought to search for knowledge exfiltration from personal repositories, and may verify logs for anomalous person agent conduct and for person agent naming and versioning in actions that attain personal repositories.
“Person brokers, occasion exercise, and actor names are important clues to unauthorized exercise in your atmosphere. It’s necessary to know what regular appears to be like like in your atmosphere. We propose enabling GitHub audit log streaming, baselining your person brokers, proactively menace looking, and growing detections distinctive to your GitHub group,” Datadog notes.
Associated: Community of 200 GitHub Repositories Used for Malware An infection
Associated: China, India-Linked Hackers Each Focused Similar Pakistani Police Power
Associated: Okta Warns of Vishing Assaults Concentrating on Microsoft 365 Prospects
Associated: Chinese language Framework Powers 200,000 Rip-off Websites






