Datadog Security Labs has identified several overlapping campaigns that systematically enumerate corporate GitHub organizations, repositories, and user accounts through the GitHub API. The attackers rely on automated scraping tooling using custom or legitimate-sounding user agents.
These operations leverage dormant GitHub 'ghost' accounts — profiles that are often years old — to blend in with normal traffic. Compromised OAuth tokens and personal access tokens are also being used to bypass API rate limits and avoid detection.
The campaigns represent a reconnaissance phase, likely precursors to targeted supply chain attacks or credential theft. By mapping organizational structure and repository access, attackers can identify high-value targets within corporate GitHub environments.
No immediate mitigations have been published by GitHub, but organizations are advised to audit active OAuth tokens, review API access logs for anomalous scraping patterns, and disable dormant accounts that are no longer in use. Monitoring for API calls from unfamiliar user agents or accounts with no recent contribution history is recommended.
The broader trend highlights how attackers increasingly exploit legitimate platform features and stale accounts to conduct low-and-slow reconnaissance. This technique allows them to operate under the radar for extended periods before launching more aggressive attack phases.