Security researchers at Datadog have uncovered a sprawling reconnaissance campaign in which threat actors are abusing the GitHub API to map out organizations, repositories, and user accounts at scale. The activity has been running for several months and spans multiple overlapping operations that rely on dormant “ghost” accounts, automated scanners, and leaked credentials.
According to Datadog, the accounts used in the campaign were registered anywhere from two to five years ago but sat inactive until being activated for API abuse. Since at least October 2025, more than 50 of these ghost accounts have generated bursts of API traffic lasting one to three weeks against multiple organizations, with most requests hitting GraphQL endpoints and others targeting REST routes.
Public Data, Quiet Abuse
The campaign exploits the fact that a large portion of GitHub’s API surface is accessible without authentication. Attackers can list an organization’s public repositories, walk a user’s followers and following lists, enumerate gists and starred repos, check org memberships, and run GraphQL queries against public objects, all without triggering an authentication failure. Because these requests return standard HTTP 200 responses, they blend into normal traffic and generate no obvious error signals.
Datadog notes that the accounts involved used user agents crafted to resemble legitimate data exfiltration, analytics, or dashboard tools, likely as an attempt to disguise the traffic as routine business activity.
From Recon to Real Access
On its own, this enumeration typically does not grant meaningful access inside an organization, Datadog says, but functions purely as reconnaissance. However, one campaign went further, using inadvertently exposed tokens from legitimate GitHub users to target private repository commit paths across dozens of accounts within a window of just several minutes. In rare instances, attackers moved beyond scanning and successfully exfiltrated data from targeted organizations.
Detection Guidance
Datadog recommends defenders watch for signs of data exfiltration from private repositories and scrutinize logs for anomalous user agent behavior, particularly unusual naming or versioning patterns in actions that reach private repos. The firm advises enabling GitHub audit log streaming, establishing a baseline of normal user agent activity, and proactively threat hunting to build detections tailored to an organization’s specific GitHub environment.
