Datadog Security Labs spotted a clever little reconnaissance play: attackers are using long-forgotten GitHub accounts and leaked tokens to quietly scrape company orgs without looking like total lunatics. Think less obvious-bad-guy, more sneaky-civilian at a conference who blends into the crowd while taking notes.

What’s happening

Rather than creating brand-new sockpuppets that scream “suspicious!”, the operators dust off old accounts that were created years ago and left idle. These so-called ghost accounts (sometimes legit-sounding names and harmless activity) are now being repurposed to call the GitHub API repeatedly across multiple organizations.

The attackers rely on a few simple ingredients:

  • Automated scanners with polished or convincing user agents that mimic real tools;
  • Stale accounts that were created 2–5 years ago and then re-used to blend in;
  • Compromised or accidentally exposed personal access tokens (PATs) and OAuth tokens from real users;
  • Use of GitHub’s unauthenticated API surface to pull public metadata without tripping basic auth checks.

Most individual requests look innocent — listing public repos, walking followers, or hitting GraphQL on public objects — but when dozens of accounts move in a coordinated way over weeks, a complete map of an org’s GitHub footprint emerges. In a few cases, operators didn’t stop at mapping and managed to clone a private repositories from targeted orgs.

Why it matters (and what you can do)

Why should you care? Even if only public data is taken, that information feeds targeted attacks: who’s on the team, what projects are active, which contributors have access to sensitive stuff, and what dependencies or code patterns exist. If attackers get a PAT or an OAuth token, they can pivot into private resources.

Quick, practical defenses — the kind you can do without calling in a wizard:

  • Audit tokens and OAuth apps regularly and revoke anything unused or suspicious;
  • Require least-privilege scopes for PATs and rotate them; avoid long-lived tokens where possible;
  • Remove or disable truly inactive accounts and enforce MFA for org members;
  • Monitor API traffic for coordinated patterns (many accounts hitting the same endpoints or the same orgs over time);
  • Limit third-party app access and review organization membership and team permissions;
  • Enable repository-level protections and monitor for unexpected clones or forks.

In short: the attack isn’t flashy — it’s the quiet, systematic kind that slowly builds intelligence. Make token hygiene, account cleanup, and activity monitoring standard operating procedure and you’ll take the shine off this blending-in trick.