Ethical Hacking News
Dormant GitHub Accounts Used as Pawns in Sophisticated Attack Campaigns to Map Corporate Orgs: According to Datadog Security Labs, attackers are using dormant 'ghost' accounts and compromised OAuth tokens to enumerate corporate GitHub organizations, repositories, and user accounts. This campaign poses a significant threat to corporate GitHub organizations, allowing attackers to conduct reconnaissance and map out an organization's GitHub-related activity.
A sophisticated attack campaign is leveraging dormant GitHub accounts, custom tooling, and compromised OAuth tokens to enumerate corporate GitHub organizations, repositories, and user accounts. The attackers are utilizing dormant "ghost" accounts that were created two to five years ago and left inactive for extended periods of time. The attackers employ a mix of automated scanner tools, over 50 dormant accounts, and dozens of legitimate accounts whose personal access tokens (PATs) have been exposed unintentionally or compromised. The attack campaign primarily targets public data, but select instances have successfully cloned private repositories within corporate organizations. Corporate GitHub organizations need to take proactive measures to secure their repositories and user accounts against such attacks. Robust security controls, including monitoring API activity for suspicious behavior, implementing strong password policies, and using two-factor authentication for access tokens, can minimize the risk of falling victim to these types of attacks.
Threat Intelligence News Platform The Hacker News has been sounding the alarm about a sophisticated attack campaign that leverages dormant GitHub accounts, custom tooling, and compromised OAuth tokens to enumerate corporate GitHub organizations, repositories, and user accounts. In an effort to avoid raising red flags, attackers are utilizing dormant "ghost" accounts that were created two to five years ago and left inactive for extended periods of time.
According to Julie Agnes Sparks, senior security engineer at Datadog Security Labs, the attackers are employing a mix of automated scanner tools, over 50 dormant accounts, and dozens of legitimate accounts whose personal access tokens (PATs) have been exposed unintentionally or compromised. The technique used by these attackers is strategic as it aims to avoid detection by passing off the activity as legitimate.
The campaign primarily targets public data, but select instances have successfully cloned private repositories within corporate organizations. This information can be used by threat actors for reconnaissance and mapping out an organization's GitHub-related activity, including its public repositories, members, who those members follow, and which projects they modify.
Datadog Security Labs has confirmed data access in a few scenarios where attackers took steps to clone a private repository belonging to a single organization. The concern lies in the aggregate: a group of accounts moving in sync across companies' GitHub organizations with versioned custom tooling iterating over weeks, and in the worst case, actors that stopped enumerating and started cloning.
Most of these requests are unremarkable as they hit public endpoints, authenticate cleanly or not at all, and return successful responses. However, the aggregate impact of these activities is what poses a significant threat to corporate GitHub organizations. The attackers use automated scraping tooling with custom or legitimate-sounding user agents, leveraging GitHub 'ghost' accounts that were left inactive for extended periods of time or compromised OAuth tokens and personal access tokens (PATs) from legitimate users.
The technique employed by the attackers is strategic as it aims to avoid raising any red flags and pass off the activity as legitimate. This approach allows them to blend in with normal API usage, making it difficult to detect their activities. The information gathered through these activities can be used for reconnaissance and mapping out an organization's GitHub-related activity.
The campaign employs a mix of automated scanner tools, over 50 dormant accounts, and dozens of legitimate accounts whose personal access tokens (PATs) have been exposed unintentionally or compromised. This combination allows the attackers to systematically enumerate corporate GitHub organizations, repositories, and user accounts with precision and speed.
Threat actors can use this information for reconnaissance and mapping out an organization's GitHub-related activity, including its public repositories, members, who those members follow, and which projects they modify. The attack campaign poses a significant threat to corporate GitHub organizations, as it allows attackers to conduct reconnaissance and programmatically map out an organization's GitHub-related activity.
The aggregate impact of these activities is what poses a significant threat to corporate GitHub organizations. A group of accounts moving in sync across companies' GitHub organizations with versioned custom tooling iterating over weeks, and in the worst case, actors that stopped enumerating and started cloning. Individually, most of these requests are unremarkable as they hit public endpoints, authenticate cleanly or not at all, and return successful responses.
The concern lies in the aggregate: a group of accounts moving in sync across companies' GitHub organizations with versioned custom tooling iterating over weeks, and in the worst case, actors that stopped enumerating and started cloning. This highlights the need for corporate GitHub organizations to take proactive measures to secure their repositories and user accounts against such attacks.
To protect against these types of attacks, it is essential for corporate GitHub organizations to implement robust security controls, including monitoring API activity for suspicious behavior, implementing strong password policies, and using two-factor authentication for access tokens. By taking these precautions, corporations can minimize the risk of falling victim to sophisticated attack campaigns like this one.
Related Information:
https://www.ethicalhackingnews.com/articles/Dormant-GitHub-Accounts-Used-as-Pawns-in-Sophisticated-Attack-Campaigns-to-Map-Corporate-Orgs-ehn.shtml
https://thehackernews.com/2026/07/dormant-github-accounts-help-attackers.html
https://vulners.com/thn/THN:88B5E6F6F39114853CA9702A643BE994
Published: Thu Jul 9 14:17:13 2026 by llama3.2 3B Q4_K_M