GitHub Under Siege: 'Ghost' Accounts and Compromised Tokens Fuel Widespread API Enumeration
A sophisticated campaign leveraging dormant 'ghost' accounts and compromised access tokens is systematically enumerating corporate **GitHub** organizations, repositories, and user accounts. Researchers at **Datadog Security Labs** have uncovered multiple overlapping operations that, while often targeting public data, have successfully breached and cloned private repositories in select cases. This highlights a critical supply chain security concern for development teams.
Cybersecurity firm **Datadog Security Labs** has issued a stark warning regarding coordinated campaigns that are systematically mapping out corporate **GitHub** environments. These attacks are meticulously enumerating organizations, repositories, and user accounts through the **GitHub API**.
"Operators rely on automated scraping tooling with custom or legitimate-sounding user agents, leveraging GitHub 'ghost' accounts that are often years old, or compromised OAuth tokens and personal access tokens (PATs) from legitimate users," stated **Julie Agnes Sparks**, a senior security engineer at **Datadog**.
While the primary objective appears to be the enumeration of public data, some instances have escalated beyond mere reconnaissance, leading to the successful cloning of private repositories.

### The Anatomy of the Attack
The campaign orchestrates a blend of automated scanner tools, over 50 long-dormant accounts, and dozens of legitimate accounts whose **Personal Access Tokens (PATs)** have been either unintentionally exposed or outright compromised. These resources are then weaponized to facilitate the extensive enumeration.
Crucially, the 'ghost' accounts are a key element of this strategy. These accounts were typically created two to five years ago and deliberately left inactive for extended periods. This dormancy period is a strategic move to avoid immediate suspicion, allowing the accounts to blend into normal activity when eventually activated for API traffic across various organizations. This contrasts sharply with newly created accounts that immediately engage in high-volume scraping, which would quickly trigger red flags.

### Exploiting Public API Endpoints
A significant portion of **GitHub's API** surface is accessible without authentication, enabling these enumeration queries to retrieve valuable data while appearing as routine API usage. Examples of such queries include:
* Listing an organization's public repositories
* Traversing a user's followers and following lists
* Enumerating gists, starred repositories, and organization memberships
* Executing **GraphQL** queries against public objects
This harvested information provides threat actors with a comprehensive reconnaissance capability, allowing them to programmatically map an organization's **GitHub** activities. This includes identifying public repositories, members, their social connections within **GitHub**, and the projects they contribute to.
### Beyond Enumeration: Private Repository Compromise
While most activity centers on reconnaissance, **Datadog** has confirmed instances where attackers moved beyond enumeration to actively clone private repositories belonging to specific organizations.
"Individually, most of these requests are unremarkable. They hit public endpoints, authenticate cleanly or not at all, and return successful responses," **Datadog** elaborated. "The concern lies in the aggregate: a group of accounts moving in sync across companies' **GitHub** organizations with versioned custom tooling iterating over weeks, and in the worst case, actors that stopped enumerating and started cloning."