Datadog Security Labs spotted a clever little reconnaissance play: attackers are using long-forgotten GitHub accounts and leaked tokens to quietly scrape company orgs without looking like total lunatics. Think less obvious-bad-guy, more sneaky-civilian at a conference who blends into the crowd while taking notes.
What’s happening
Rather than creating brand-new sockpuppets that scream “suspicious!”, the operators dust off old accounts that were created years ago and left idle. These so-called ghost accounts (sometimes legit-sounding names and harmless activity) are now being repurposed to call the GitHub API repeatedly across multiple organizations.
The attackers rely on a few simple ingredients:
- Automated scanners with polished or convincing user agents that mimic real tools;
- Stale accounts that were created 2–5 years ago and then re-used to blend in;
- Compromised or accidentally exposed personal access tokens (PATs) and OAuth tokens from real users;
- Use of GitHub’s unauthenticated API surface to pull public metadata without tripping basic auth checks.
Most individual requests look innocent — listing public repos, walking followers, or hitting GraphQL on public objects — but when dozens of accounts move in a coordinated way over weeks, a complete map of an org’s GitHub footprint emerges. In a few cases, operators didn’t stop at mapping and managed to clone a private repositories from targeted orgs.
Why it matters (and what you can do)
Why should you care? Even if only public data is taken, that information feeds targeted attacks: who’s on the team, what projects are active, which contributors have access to sensitive stuff, and what dependencies or code patterns exist. If attackers get a PAT or an OAuth token, they can pivot into private resources.
Quick, practical defenses — the kind you can do without calling in a wizard:
- Audit tokens and OAuth apps regularly and revoke anything unused or suspicious;
- Require least-privilege scopes for PATs and rotate them; avoid long-lived tokens where possible;
- Remove or disable truly inactive accounts and enforce MFA for org members;
- Monitor API traffic for coordinated patterns (many accounts hitting the same endpoints or the same orgs over time);
- Limit third-party app access and review organization membership and team permissions;
- Enable repository-level protections and monitor for unexpected clones or forks.
In short: the attack isn’t flashy — it’s the quiet, systematic kind that slowly builds intelligence. Make token hygiene, account cleanup, and activity monitoring standard operating procedure and you’ll take the shine off this blending-in trick.