GitHub API Abuse, ‘Ghost’ Accounts Part of Malicious Efforts to Map Organizations
TL;DR — Key Takeaways
- Coordinated threat campaigns are quietly targeting GitHub organizations using the platform’s API and dormant “ghost” accounts to map developers, repositories, and projects.
- Most activity looks legitimate, making it difficult to detect. Attackers often use public API endpoints, clean authentication, or no authentication at all.
- Ghost accounts help attackers blend in. More than 50 long-dormant GitHub accounts were reactivated after 2–5 years to evade suspicion while conducting reconnaissance.
A cluster of coordinated and overlapping campaigns that have been running for several months is abusing GitHub’s API and leveraging dozens of “ghost” accounts that have been dormant for years to map organizations and their developers.
Many of the operations are using the API to scrape public information; some have gone further, including cloning private repositories, compromising users’ tokens, and, in one case, exfiltrating data from a private repository, according to researchers with Datadog.
The campaigns are not the result of a single bad actor, but what Julie Agnes Sparks, senior security engineer with Datadog, described as a “blend of custom automated scanner tools, opportunistic abuse of leaked credentials, and coordinated networks of burner (ghost) accounts.”
“Individually, most of these requests are unremarkable,” Sparks wrote. “They hit public endpoints, authenticate cleanly or not at all, and return successful responses. The concern lies in the aggregate: a group of accounts moving in sync across companies’ GitHub organizations with versioned custom tooling iterating over weeks, and in the worst case, actors that stopped enumerating and started cloning.”
Threat to Public Repositories
In the larger context, the coordinated campaigns are another example of how threat groups are increasingly targeting developer environments by compromising the code repositories – like GitHub, npm, and the Python Package Index (PyPI) – they rely on. Fortran noted that GitHub has become the “standard for version control and collaborative software development,” given that it hosts more than 420 million repositories and serves more than 150 million developers around the globe.
The threat is only growing. According to Jacob Malimban, cyber analyst with Cofense, the number of malicious campaigns against Git repositories has grown every year since 2021 – with almost 50% of the abuse during that time period happening in 2025 – primarily for credential phishing or to deliver malware.
Cofense found that 95% of the campaigns targeted GitHub, with 5% abusing GitLab. In addition, 58% delivered credential phishing, with the other 42% bringing malware.
No Authentication Needed
According to Datadog’s Sparks, much of what’s available through GitHub’s API can be reached without authentication. That includes an organization’s public repositories, its users’ followers and following lists, starred repositories, and organizational memberships. Likewise, running GraphQL queries against public objects can also bring in data. Given that all of these pathways are public, there’s no alert regarding authentication.
“An operator can build a detailed map of an organization, such as its public repositories, its members, who those members follow, and which projects they touch, entirely from public data,” she wrote. “This traffic blends into normal API usage.”
Another challenge is that with external resources, GitHub doesn’t collect geolocation data for events, which limits attribution based on where the signal is coming from and the VPN or proxy used. That said, the logs do record the GitHub actor that makes the request and the kind of access tokens they use.
The Use of Ghost Accounts
Another way the campaigns are keeping under the radar is through the use of ghost accounts. Datadog found more than 50 such accounts being used by the bad actors that have been left dormant for anywhere from two to five years before being activated to send API traffic to multiple organizations. Sparks noted that an account that’s existed for multiple years often is considered more legitimate than one registered the same week it begins scraping data.
The threat actors tend to use the ghost accounts for one to three weeks before their use ends. While in use, the accounts are given a mixture of names, from GitHub-Company-Scraper and GitHub-Scraper-Tool/1.0 to more benign-sounding names such as GitHubAnalytics/1.5.
Most of them target GraphQL, an open-source query language for APIs, while others look to REST, which Sparks said is what’s expected when talking about mapping organizations. It won’t give abusers access, but it will allow for reconnaissance.
Exposed Personal Tokens
Some campaigns used personal account tokens (PATs) exposed by users who posted them accidentally or had their systems compromised. One campaign between December and January used three stolen tokens from a progression of the same user agents and ran its infrastructure on a hosting provider, 3xK Tech, which has been the subject of several abuse reports.
“Dozens of distinct legitimate GitHub user accounts made API requests to a single organization within a window of only a few minutes,” Sparks wrote. “Their requests targeted private repository commit paths, and in this campaign, the attempts failed. The functional focus of this campaign was narrow and consistent: listing organization repositories, fetching commits, and probing private repository paths.”
There were a handful of cases in which campaigns were able to access data. In one, a user agent with the handle “repo-dumper” exfiltrated data from a private repository using a mix of Git cloning and API requests.
Keep an Eye on Indicators
Sparks wrote that among the indications of unauthorized activity in an organization’s environment are user agents, event activity, and actor names. Datadog researchers are detecting a rise in legitimate vibe-coded or custom tools that have names similar to user agents they’ve identified.
“It’s important to know what normal looks like in your environment,” Sparks wrote. “We suggest enabling GitHub audit log streaming, baselining your user agents, proactively threat hunting, and developing detections unique to your GitHub organization.”
Frequently Asked Questions
What are GitHub “ghost” accounts?
Ghost accounts are legitimate GitHub accounts that have remained inactive for years before being reactivated by attackers. Because they have an established history, they appear more trustworthy than newly created accounts, helping threat actors avoid detection while conducting reconnaissance.
Can attackers gather valuable information without compromising an account?
Yes. GitHub’s public API exposes information such as public repositories, organization members, repository stars, and developer relationships without requiring authentication. Attackers can use this data to build detailed maps of an organization’s development environment before attempting more targeted attacks.
How can organizations defend against these campaigns?
Organizations should enable GitHub audit log streaming, monitor for unusual API activity and unfamiliar user agents, regularly rotate and protect personal access tokens (PATs), and proactively hunt for suspicious account behavior that deviates from normal GitHub usage patterns.