{"id":16658,"date":"2026-07-12T21:46:50","date_gmt":"2026-07-12T21:46:50","guid":{"rendered":"https:\/\/techtrendfeed.com\/?p=16658"},"modified":"2026-07-12T21:46:50","modified_gmt":"2026-07-12T21:46:50","slug":"ghost-accounts-abuse-github-api-in-mass-recon-marketing-campaign","status":"publish","type":"post","link":"https:\/\/techtrendfeed.com\/?p=16658","title":{"rendered":"Ghost Accounts Abuse GitHub API in Mass Recon Marketing campaign"},"content":{"rendered":"<p> <br \/>\n<\/p>\n<div>\n<p class=\"wp-block-paragraph\"><strong>Menace actors are abusing the GitHub API to systematically enumerate organizations, repositories, and person accounts, Datadog reviews.<\/strong><\/p>\n<p class=\"wp-block-paragraph\">Spanning a number of overlapping campaigns, the exercise has been ongoing for a number of months, counting on ghost accounts that had been registered two to 5 years in the past however left dormant.<\/p>\n<p class=\"wp-block-paragraph\">The exercise, <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/securitylabs.datadoghq.com\/articles\/coordinated-github-api-enumeration\/\">Datadog says<\/a>, entails automated scanners, the abuse of leaked credentials, and coordinated networks of dormant accounts.<\/p>\n<p class=\"wp-block-paragraph\">Whereas the noticed GitHub API requests are concentrating on publicly out there knowledge, mixing with regular visitors, the continual exercise that in some instances escalated to the attackers cloning found repositories raises concern.<\/p>\n<p class=\"wp-block-paragraph\">\u201cA big share of GitHub\u2019s API floor is reachable with out authentication. Itemizing a company\u2019s public repositories, strolling a person\u2019s followers and following lists, enumerating gists, starred repos, and org memberships, and working GraphQL queries in opposition to public objects all return knowledge,\u201d Datadog explains.<\/p>\n<p class=\"wp-block-paragraph\">Requests in opposition to these public paths generate HTTP 200 responses and no authentication failure alerts. Via regular API visitors, an operator can use this to map a company, its members, and the tasks they entry.<\/p>\n<div class=\"zox-post-ad-wrap\"><span class=\"zox-ad-label\">Commercial. Scroll to proceed studying.<\/span><\/div>\n<p class=\"wp-block-paragraph\">Since not less than October 2025, over 50 ghost accounts have been used to ship API visitors as a part of the enumeration, normally in bursts of 1 to three weeks, throughout a number of organizations.<\/p>\n<p class=\"wp-block-paragraph\">The accounts have been utilizing person brokers named to sound like knowledge exfiltration, analytics, or dashboard instruments. Many of the requests have been concentrating on GraphQL, whereas others have been geared toward REST routes.<\/p>\n<p class=\"wp-block-paragraph\">\u201cBy itself, this enumeration not often produces significant entry inside a company, relatively it\u2019s carrying out reconnaissance,\u201d Datadog notes.<\/p>\n<p class=\"wp-block-paragraph\">One marketing campaign was additionally seen utilizing inadvertently uncovered tokens from professional GitHub customers, concentrating on personal repository commit paths from dozens of professional accounts over a window of a number of minutes.<\/p>\n<p class=\"wp-block-paragraph\">In uncommon instances, the attackers moved past reconnaissance and efficiently exfiltrated knowledge from the focused organizations, Datadog says.<\/p>\n<p class=\"wp-block-paragraph\">To detect such a malicious exercise, the cybersecurity agency notes, defenders ought to search for knowledge exfiltration from personal repositories, and may verify logs for anomalous person agent conduct and for person agent naming and versioning in actions that attain personal repositories.<\/p>\n<p class=\"wp-block-paragraph\">\u201cPerson brokers, occasion exercise, and actor names are important clues to unauthorized exercise in your atmosphere. It\u2019s necessary to know what regular appears to be like like in your atmosphere. We propose enabling GitHub audit log streaming, baselining your person brokers, proactively menace looking, and growing detections distinctive to your GitHub group,\u201d Datadog notes.<\/p>\n<p class=\"wp-block-paragraph\"><strong>Associated:<\/strong> <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/www.securityweek.com\/network-of-200-github-repositories-used-for-malware-infection\/\">Community of 200 GitHub Repositories Used for Malware An infection<\/a><\/p>\n<p class=\"wp-block-paragraph\"><strong>Associated:<\/strong> <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/www.securityweek.com\/china-india-linked-hackers-both-targeted-same-pakistani-police-force\/\">China, India-Linked Hackers Each Focused Similar Pakistani Police Power<\/a><\/p>\n<p class=\"wp-block-paragraph\"><strong>Associated:<\/strong> <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/www.securityweek.com\/okta-warns-of-vishing-attacks-targeting-microsoft-365-customers\/\">Okta Warns of Vishing Assaults Concentrating on Microsoft 365 Prospects<\/a><\/p>\n<p class=\"wp-block-paragraph\"><strong>Associated:<\/strong> <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/www.securityweek.com\/chinese-framework-powers-200000-scam-sites\/\">Chinese language Framework Powers 200,000 Rip-off Websites<\/a>\n      <\/p>\n<\/div>\n\n","protected":false},"excerpt":{"rendered":"<p>Menace actors are abusing the GitHub API to systematically enumerate organizations, repositories, and person accounts, Datadog reviews. Spanning a number of overlapping campaigns, the exercise has been ongoing for a number of months, counting on ghost accounts that had been registered two to 5 years in the past however left dormant. The exercise, Datadog says, [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":16660,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[58],"tags":[1865,172,664,396,941,933,5676,7822],"class_list":["post-16658","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-abuse","tag-accounts","tag-api","tag-campaign","tag-ghost","tag-github","tag-mass","tag-recon"],"_links":{"self":[{"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/posts\/16658","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=16658"}],"version-history":[{"count":1,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/posts\/16658\/revisions"}],"predecessor-version":[{"id":16659,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/posts\/16658\/revisions\/16659"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/media\/16660"}],"wp:attachment":[{"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=16658"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=16658"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=16658"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}<!-- This website is optimized by Airlift. Learn more: https://airlift.net. Template:. Learn more: https://airlift.net. Template: 69d9690a190636c2e0989534. Config Timestamp: 2026-04-10 21:18:02 UTC, Cached Timestamp: 2026-07-13 00:36:27 UTC -->