Dormant Accounts Fuel Stealthy GitHub Reconnaissance Campaigns
Threat actors are weaponizing years-old accounts to map organizational structures and probe sensitive repositories via the GitHub API.
Security researchers are currently tracking a sophisticated campaign that turns the very infrastructure intended for open-source collaboration into a landscape for intelligence gathering. By leveraging a network of long-dormant accounts, adversaries are executing systematic API queries to map out organizational hierarchies and repository ecosystems, blending their movements with the noise of legitimate traffic.
The Anatomy of Ghost Account Abuse
The campaign, which has been under observation for several months, relies on a strategic cache of ghost accounts. These profiles, originally registered two to five years ago, have been repurposed to bypass suspicion while conducting large-scale enumeration. By acting as seemingly established users, these accounts engage in automated scanning activities, often coordinating their efforts in distinct bursts lasting 1 to 3 weeks at a time.
“A large share of GitHub’s API surface is reachable without authentication. Listing an organization’s public repositories, walking a user’s followers and following lists, enumerating gists, starred repos, and org memberships, and running GraphQL queries against public objects all return data,” Datadog explains.
The attackers utilize a mix of GraphQL and REST routes, masking their activity with user agents designed to mimic standard analytics or data-handling dashboards. This approach ensures that their queries return standard HTTP 200 responses, effectively masquerading as routine background processes that fail to trigger traditional authentication alerts.
Escalation Beyond Public Reconnaissance
While the majority of this activity remains focused on publicly available data, the scope of the threat has occasionally widened to include more aggressive maneuvers. In some instances, the campaign has moved past simple data collection to successfully exfiltrate information from private repositories.
- 50 ghost accounts identified as participating in the enumeration.
- 2 to 5 years is the age range of the dormant accounts used.
- 1 to 3 weeks is the typical duration for activity bursts.
Researchers have also noted that the attackers are not strictly limited to public data paths. One notable campaign variant involved the use of exposed tokens from legitimate GitHub users. By leveraging these inadvertently leaked credentials, the operators were able to target commit paths within private repositories, turning a passive reconnaissance mission into a targeted breach.
Defending the Collaborative Perimeter
The primary challenge for organizations lies in the difficulty of distinguishing between standard developer workflows and automated enumeration. Because the attackers rely on native API functions, defenders must pivot to more granular behavioral analysis. This requires a transition from perimeter-based monitoring to a deeper understanding of what constitutes normal activity within a specific organization’s environment.
To mitigate the risk, experts recommend a robust approach to logging and visibility. Key measures include the proactive enabling of GitHub audit log streaming, which provides the raw data necessary for identifying anomalous user agent strings. By baselining typical agent versioning and activity patterns, security teams can develop custom detections that isolate suspicious enumeration attempts before they result in actual data exfiltration.
The broader implication for the industry is that the trust inherent in developer platforms is now a primary attack surface. As attackers refine their ability to blend into the background of public-facing API traffic, organizations that fail to treat their repository access logs with the same rigor as their production networks will remain vulnerable to this persistent, low-and-slow style of intelligence gathering.