VYPR
researchPublished Jul 9, 2026· 1 source

Attackers Exploit Dormant GitHub Accounts for Corporate Reconnaissance

Threat actors are using old, inactive GitHub accounts and compromised tokens to map out corporate organizations and repositories via the GitHub API, raising concerns about supply chain security.

Security researchers at Datadog Security Labs have identified a concerning trend where threat actors are systematically enumerating corporate GitHub organizations, repositories, and user accounts. This reconnaissance is primarily conducted by leveraging the GitHub API, with attackers employing automated scraping tools designed to blend in with legitimate traffic. The technique involves using "ghost" accounts – dormant GitHub accounts that have been inactive for years – or compromised OAuth tokens and personal access tokens (PATs) from legitimate users.

The primary objective of these overlapping campaigns is to map out targets for potential future attacks. While much of the activity focuses on publicly accessible data, there have been confirmed instances where attackers successfully cloned private repositories. This indicates a progression beyond simple information gathering, posing a significant risk to intellectual property and sensitive codebases. The use of long-dormant accounts is a strategic choice, as it helps attackers evade detection by appearing as normal, albeit infrequent, API users, rather than immediately suspicious new accounts.

Datadog noted that a substantial portion of GitHub's API endpoints are accessible without authentication, allowing attackers to gather extensive information without needing to compromise accounts directly. This includes details such as an organization's public repositories, user follower lists, gists, starred repositories, and organization memberships. By programmatically querying these endpoints, attackers can build a detailed picture of an organization's GitHub footprint, including its structure, members, and development activities.

The campaign's sophistication lies in its scale and coordination. Attackers are utilizing a mix of automated scanning tools alongside over 50 dormant accounts and dozens of compromised legitimate accounts. The dormant accounts, some created two to five years prior, are weaponized to issue API traffic across multiple organizations, making the activity appear less anomalous. This deliberate tactic aims to bypass security alerts that might flag new or unusually active accounts.

"Individually, most of these requests are unremarkable. They hit public endpoints, authenticate cleanly or not at all, and return successful responses," Datadog stated. "The concern lies in the aggregate: a group of accounts moving in sync across companies' GitHub organizations with versioned custom tooling iterating over weeks, and in the worst case, actors that stopped enumerating and started cloning."

This method of reconnaissance is particularly insidious because it exploits the inherent openness of developer platforms and the common practice of using API tokens. The exposure of PATs, whether through accidental leaks or other compromise methods, provides attackers with legitimate credentials that can be used to access sensitive data, including private repositories. The ability to clone private code is a critical threat to software supply chain security, potentially exposing proprietary code, secrets, or vulnerabilities.

The findings highlight a growing need for organizations to closely monitor their GitHub activity, secure API tokens, and implement robust access controls. The use of dormant accounts and compromised credentials underscores the persistent threat to supply chain integrity and the importance of vigilant security practices within development environments. As attackers refine their techniques, defenders must adapt to detect and mitigate these stealthy reconnaissance operations.

Synthesized by Vypr AI