Menace actors are abusing the GitHub API to systematically enumerate organizations, repositories, and person accounts, Datadog experiences.
Spanning a number of overlapping campaigns, the exercise has been ongoing for a number of months, counting on ghost accounts that had been registered two to 5 years in the past however left dormant.
The exercise, Datadog says, entails automated scanners, the abuse of leaked credentials, and coordinated networks of dormant accounts.
Whereas the noticed GitHub API requests are focusing on publicly out there knowledge, mixing with regular site visitors, the continual exercise that in some circumstances escalated to the attackers cloning found repositories raises concern.
“A big share of GitHub’s API floor is reachable with out authentication. Itemizing a corporation’s public repositories, strolling a person’s followers and following lists, enumerating gists, starred repos, and org memberships, and operating GraphQL queries towards public objects all return knowledge,” Datadog explains.
Requests towards these public paths generate HTTP 200 responses and no authentication failure alerts. Via regular API site visitors, an operator can use this to map a corporation, its members, and the initiatives they entry.
Since at the least October 2025, over 50 ghost accounts have been used to ship API site visitors as a part of the enumeration, normally in bursts of 1 to three weeks, throughout a number of organizations.
The accounts have been utilizing person brokers named to sound like knowledge exfiltration, analytics, or dashboard instruments. A lot of the requests have been focusing on GraphQL, whereas others have been aimed toward REST routes.
“By itself, this enumeration not often produces significant entry inside a corporation, fairly it’s carrying out reconnaissance,” Datadog notes.
One marketing campaign was additionally seen utilizing inadvertently uncovered tokens from reputable GitHub customers, focusing on non-public repository commit paths from dozens of reputable accounts over a window of a number of minutes.
In uncommon circumstances, the attackers moved past reconnaissance and efficiently exfiltrated knowledge from the focused organizations, Datadog says.
To detect this sort of malicious exercise, the cybersecurity agency notes, defenders ought to search for knowledge exfiltration from non-public repositories, and may verify logs for anomalous person agent conduct and for person agent naming and versioning in actions that attain non-public repositories.
“Person brokers, occasion exercise, and actor names are important clues to unauthorized exercise in your surroundings. It’s essential to know what regular appears to be like like in your surroundings. We advise enabling GitHub audit log streaming, baselining your person brokers, proactively menace looking, and creating detections distinctive to your GitHub group,” Datadog notes.
Associated: Community of 200 GitHub Repositories Used for Malware An infection
Associated: China, India-Linked Hackers Each Focused Identical Pakistani Police Drive
Associated: Okta Warns of Vishing Assaults Focusing on Microsoft 365 Prospects
Associated: Chinese language Framework Powers 200,000 Rip-off Websites








