Skip to main content

GitHub API Abuse, ‘Ghost’ Accounts Part of Malicious Efforts to Map Organizations

GitHub
GitHub

A cluster of coordinated and overlapping campaigns that have been running for several months is abusing GitHub’s API and leveraging dozens of “ghost” accounts that have been dormant for years to map organizations and their developers.

Many of the operations are using the API to scrape public information; some have gone further, including cloning private repositories, compromising users’ tokens, and, in one case, exfiltrating data from a private repository, according to researchers with Datadog.

The campaigns are not the result of a single bad actor, but what Julie Agnes Sparks, senior security engineer with Datadog, described as a “blend of custom automated scanner tools, opportunistic abuse of leaked credentials, and coordinated networks of burner (ghost) accounts.”

“Individually, most of these requests are unremarkable,” Sparks wrote. “They hit public endpoints, authenticate cleanly or not at all, and return successful responses. The concern lies in the aggregate: a group of accounts moving in sync across companies’ GitHub organizations with versioned custom tooling iterating over weeks, and in the worst case, actors that stopped enumerating and started cloning.”

Threat to Public Repositories

In the larger context, the coordinated campaigns are another example of how threat groups are increasingly targeting developer environments by compromising the code repositories – like GitHub, npm, and the Python Package Index (PyPI) – they rely on. Fortran noted that GitHub has become the “standard for version control and collaborative software development,” given that it hosts more than 420 million repositories and serves more than 150 million developers around the globe.

The threat is only growing. According to Jacob Malimban, cyber analyst with Cofense, the number of malicious campaigns against Git repositories has grown every year since 2021 – with almost 50% of the abuse during that time period happening in 2025 – primarily for credential phishing or to deliver malware.

Cofense found that 95% of the campaigns targeted GitHub, with 5% abusing GitLab. In addition, 58% delivered credential phishing, with the other 42% bringing malware.

No Authentication Needed

According to Datadog’s Sparks, much of what’s available through GitHub’s API can be reached without authentication. That includes an organization’s public repositories, its users’ followers and following lists, starred repositories, and organizational memberships. Likewise, running GraphQL queries against public objects can also bring in data. Given that all of these pathways are public, there’s no alert regarding authentication.

“An operator can build a detailed map of an organization, such as its public repositories, its members, who those members follow, and which projects they touch, entirely from public data,” she wrote. “This traffic blends into normal API usage.”

Another challenge is that with external resources, GitHub doesn’t collect geolocation data for events, which limits attribution based on where the signal is coming from and the VPN or proxy used. That said, the logs do record the GitHub actor that makes the request and the kind of access tokens they use.

The Use of Ghost Accounts

Another way the campaigns are keeping under the radar is through the use of ghost accounts. Datadog found more than 50 such accounts being used by the bad actors that have been left dormant for anywhere from two to five years before being activated to send API traffic to multiple organizations. Sparks noted that an account that’s existed for multiple years often is considered more legitimate than one registered the same week it begins scraping data.

The threat actors tend to use the ghost accounts for one to three weeks before their use ends. While in use, the accounts are given a mixture of names, from GitHub-Company-Scraper and GitHub-Scraper-Tool/1.0 to more benign-sounding names such as GitHubAnalytics/1.5.

Most of them target GraphQL, an open-source query language for APIs, while others look to REST, which Sparks said is what’s expected when talking about mapping organizations. It won’t give abusers access, but it will allow for reconnaissance.

Exposed Personal Tokens

Some campaigns used personal account tokens (PATs) exposed by users who posted them accidentally or had their systems compromised. One campaign between December and January used three stolen tokens from a progression of the same user agents and ran its infrastructure on a hosting provider, 3xK Tech, which has been the subject of several abuse reports.

“Dozens of distinct legitimate GitHub user accounts made API requests to a single organization within a window of only a few minutes,” Sparks wrote. “Their requests targeted private repository commit paths, and in this campaign, the attempts failed. The functional focus of this campaign was narrow and consistent: listing organization repositories, fetching commits, and probing private repository paths.”

There were a handful of cases in which campaigns were able to access data. In one, a user agent with the handle “repo-dumper” exfiltrated data from a private repository using a mix of Git cloning and API requests.

Keep an Eye on Indicators

Sparks wrote that among the indications of unauthorized activity in an organization’s environment are user agents, event activity, and actor names. Datadog researchers are detecting a rise in legitimate vibe-coded or custom tools that have names similar to user agents they’ve identified.

“It’s important to know what normal looks like in your environment,” Sparks wrote. “We suggest enabling GitHub audit log streaming, baselining your user agents, proactively threat hunting, and developing detections unique to your GitHub organization.”



from DevOps.com https://ift.tt/hw0o41J

Comments

Popular posts from this blog

Shift Left to the Developer’s Machine: Building Local Git Security Gates 

A developer pushes one file. It contains an AWS access key left in a configuration block. Five minutes later, CI catches it. By then, the secret is in the remote repository, cached by mirrors and potentially forked. The developer rotates the key, scrubs the commit history and spends the rest of the afternoon on incident response. The real question isn’t how to clean up faster — it’s why the secret left the developer’s machine in the first place.   The Five-Minute Gap   Most engineering teams have invested in CI-based secret scanning . Tools such as GitHub Advanced Security, GitGuardian and TruffleHog’s CI integration catch leaked credentials in pull requests and pushed branches. This is good, but it’s also too late.   The GitGuardian 2026 State of Secrets Sprawl report found that 29 million secrets were detected on GitHub in 2025 alone — a 34% year-over-year increase and the largest single-year jump ever recorded. Worse, 64% of secrets leaked back in 202...

Cloudbees Is A Launch Partner For Google Cloud Run As Product Goes Ga

Industry Leaders Collaborate to Offer Streamlined Deployment of Containerized Applications, Better Access to CloudBees Solutions on Google Cloud Platform Marketplace   GOOGLE CLOUD NEXT, LONDON AND SAN JOSE, CA. – November 20, 2019 – CloudBees, the enterprise DevOps leader powering the continuous economy, today announced an extension of its partnership with Google. As a Google […] The post Cloudbees Is A Launch Partner For Google Cloud Run As Product Goes Ga appeared first on DevOps.com . from DevOps.com https://ift.tt/2XuFTxc

Why Endpoint Protection Matters More than Ever in CI/CD Environments

CI/CD environments depend on far more than repositories and deployment infrastructure. Developer endpoints hold sensitive data: cloud credentials, SSH keys, deployment permissions, direct access to internal systems. Endpoint security and control are part of daily operational risk management. Engineering teams are shifting more and more toward distributed workflows, so discussions around CI/CD security include the security posture of the devices connected to the pipeline. Many organizations already focus their CI/CD security efforts on secrets management , dependency scanning and supply chain controls. However, advanced endpoint security solutions are also relevant in cloud-native development environments, where local devices maintain direct access to production workflows. Endpoint Compromise Can Bypass Mature CI/CD Controls CI/CD security discussions mostly focus on repositories, containers, infrastructure, and deployment automation. Developer endpoints are often overlooked as a par...