Datadog Security Labs is sounding the alarm over a series of coordinated reconnaissance campaigns targeting corporate GitHub presences. According to the firm, threat actors are using automated tooling to systematically enumerate organizations, repositories, and individual user accounts through the GitHub API, gathering intelligence that could inform follow-on attacks.

Ghost Accounts and Stolen Tokens

A notable tactic in these campaigns is the use of so-called GitHub “ghost” accounts, dormant profiles that are often years old and therefore appear legitimate to automated detection systems. By operating through aged accounts with established history, attackers reduce the likelihood of triggering anomaly-based alerts that might flag newly created or obviously suspicious profiles.

In addition to ghost accounts, the campaigns also leverage compromised OAuth tokens and personal access tokens. These credentials allow attackers to authenticate against the GitHub API with what looks like normal user activity, further blending their reconnaissance into the noise of routine developer traffic.

Custom and Legitimate-Sounding User Agents

The scraping tooling deployed in these campaigns is configured to use custom or plausible-sounding user agent strings. This detail suggests operators are deliberately attempting to mimic legitimate API clients, making it harder for GitHub and enterprise security teams to distinguish malicious traffic from normal tooling interactions.

Implications for Enterprise Security

For organizations with a GitHub presence, systematic enumeration of their repositories and user accounts represents a meaningful intelligence-gathering risk. Exposed contributor lists, internal repository names, and organizational structure can all inform phishing campaigns, supply chain attacks, or targeted credential theft efforts.

Security teams are advised to audit their GitHub organization’s visibility settings, review which repositories are public versus private, and monitor for unexpected API access patterns tied to OAuth applications or personal access tokens. Rotating tokens that may have been exposed and enforcing organization-level access controls are practical near-term mitigations.

Datadog’s findings underscore a broader trend of attackers treating developer platforms as reconnaissance targets rather than purely as delivery mechanisms for malicious code.