Dormant GitHub Accounts Used to Map Organizations in Reconnaissance Campaigns

Threat actors have been using long-dormant GitHub accounts to automate reconnaissance against organizations, according to research from Datadog. The activity has continued for months and involves effo...

Threat actors have been using long-dormant GitHub accounts to automate reconnaissance against organizations, according to research from Datadog. The activity has continued for months and involves efforts to catalog public repositories, organization members, user relationships, and other information available through GitHub’s API.

Datadog identified more than 50 so-called ghost accounts participating in the activity since at least October 2025. The accounts were generally created between two and five years ago, then remained inactive before being used in bursts lasting roughly one to three weeks. Multiple overlapping campaigns were observed, with traffic directed at both GitHub’s GraphQL and REST interfaces.

Many of the requests used user-agent names that appeared to reference analytics, dashboards, or data collection tools. Because much of the targeted API functionality exposes public information and returns successful responses without authentication, the traffic can resemble legitimate application activity. Attackers can use these requests to build an inventory of an organization’s projects, members, repositories, followers, starred content, gists, and other public relationships.

Limited access, valuable intelligence

Datadog said the enumeration generally does not provide direct access to protected organizational resources. Instead, it gives attackers a broad view of an organization’s development ecosystem and may help identify targets for later intrusion attempts.

In one related campaign, operators used tokens that had been inadvertently exposed by legitimate GitHub users. The credentials were used to query private repository commit paths associated with dozens of accounts within minutes. Although such activity was uncommon, Datadog reported cases in which attackers progressed beyond mapping and successfully removed data from private repositories.

Organizations should review GitHub activity for unusual access to private repositories, unexpected repository cloning, and bursts of API requests from unfamiliar or misleading user agents. Security teams should also examine the names and version patterns associated with clients performing sensitive actions.

Datadog recommends enabling GitHub audit-log streaming, establishing baselines for normal user-agent and API behavior, and conducting proactive threat hunts. Custom detections tailored to each organization can help distinguish authorized automation from coordinated reconnaissance and potential data theft.