Full Report
Datadog Security Labs is warning of "several overlapping campaigns" that are systematically enumerating corporate GitHub organizations, repositories, and user accounts through the GitHub API. "Operators rely on automated scraping tooling with custom or legitimate-sounding user agents, leveraging GitHub 'ghost' accounts that are often years old, or compromised OAuth tokens and personal
Analysis Summary
# Tool/Technique: Ghost Account API Enumeration
## Overview
This technique involves the systematic enumeration and reconnaissance of corporate GitHub environments using a fleet of "ghost" accounts—dormant user profiles created years in advance. Threat actors leverage these accounts alongside compromised credentials to map out organizational structures, repositories, and user relationships via the GitHub API, occasionally escalating to the theft of private source code.
## Technical Details
- **Type**: Technique / Reconnaissance Framework
- **Platform**: GitHub (SaaS)
- **Capabilities**: Automated API scraping, organizational mapping, private repository cloning, and credential reuse.
- **First Seen**: Reported in detail July 2026 (Datadog Security Labs).
## MITRE ATT&CK Mapping
- **[TA0043 - Reconnaissance]**
- [T1589.002 - Gather Victim Identity Information: Email Addresses / Usernames]
- [T1592.004 - Gather Victim Asset Information: Software (Code repositories)]
- **[TA0001 - Initial Access]**
- [T1566.002 - Phishing: Spearphishing Link (potential source of PATs)]
- [T1078 - Valid Accounts]
- **[TA0007 - Discovery]**
- [T1087.004 - Account Discovery: Cloud Account]
## Functionality
### Core Capabilities
- **Legacy Account Utilization**: Leveraging ~50 "ghost" accounts created 2-5 years ago to bypass "new account" velocity alerts and reputation filters.
- **API Enumeration**: Programmatic scraping of public endpoints to list organization repositories, gists, and starred projects.
- **Social Graph Mapping**: Walking "Follower" and "Following" lists to identify key developers and their internal influence.
- **Credential Exploitation**: Utilizing compromised OAuth tokens and Personal Access Tokens (PATs) unintentionally exposed or stolen from legitimate users.
### Advanced Features
- **GraphQL Targeting**: Running complex GraphQL queries against public objects to extract bulk data more efficiently than standard REST API calls.
- **Authenticated Enumeration**: Transitioning from unauthenticated scraping to authenticated access to clone private repositories.
- **Custom User Agents**: Employing automated tooling with legitimate-sounding or versioned custom User-Agent strings to blend with developer traffic.
## Indicators of Compromise
- **File Hashes**: N/A (Cloud-based activity).
- **File Names**: N/A.
- **Registry Keys**: N/A.
- **Network Indicators**:
- API requests originating from unexpected IP geolocations relative to known employees.
- User-Agent strings indicating custom scraping frameworks or mismatched tool versions.
- **Behavioral Indicators**:
- A sudden spike in API activity from accounts that were dormant for 2+ years.
- "Lockstep" behavior: Multiple accounts iterating through the same organizations or repositories in a coordinated timeframe.
- Excessive calls to `/users/{user}/followers` or GraphQL endpoints across multiple distinct corporate orgs.
## Associated Threat Actors
- **Unknown**: Multiple overlapping campaigns suggest various actors or a shared toolset/service (Access Brokerage or Recon-as-a-Service).
## Detection Methods
- **Behavioral Detection**: Monitor GitHub Audit Logs for `repository.clone`, `org.add_member`, and API token usage patterns that deviate from established developer baselines.
- **Account Age Analysis**: Correlate high-volume API activity with the "Last Active" timestamp vs. "Account Created" date.
- **API Pattern Recognition**: Detect coordinated scraping where different accounts request the same series of endpoints (Public repos -> Members -> Followers) across a short interval.
## Mitigation Strategies
- **Prevention Measures**: Implement strict "IP Allow Lists" for GitHub Enterprise to ensure tokens can only be used from trusted networks.
- **Hardening Recommendations**:
- Enforce short-lived, fine-grained Personal Access Tokens (PATs) instead of classic tokens.
- Regularly audit and revoke inactive or "orphaned" OAuth applications and PATs.
- Enable Secret Scanning to prevent the accidental commit of tokens to public or private repos.
## Related Tools/Techniques
- **GitHub Scrapers**: (e.g., Trufflehog, Gitrob) - Similar in intent but often used for secret hunting rather than org-wide mapping.
- **OAuth App Phishing**: A precursor technique used to obtain the tokens required for this activity.