{"id":4578,"date":"2026-07-14T07:12:39","date_gmt":"2026-07-14T07:12:39","guid":{"rendered":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/2026\/07\/14\/github-api-abuse-ghost-accounts-part-of-malicious-efforts-to-map-organizations\/"},"modified":"2026-07-14T07:12:39","modified_gmt":"2026-07-14T07:12:39","slug":"github-api-abuse-ghost-accounts-part-of-malicious-efforts-to-map-organizations","status":"publish","type":"post","link":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/2026\/07\/14\/github-api-abuse-ghost-accounts-part-of-malicious-efforts-to-map-organizations\/","title":{"rendered":"GitHub API Abuse, \u2018Ghost\u2019 Accounts Part of Malicious Efforts to Map Organizations"},"content":{"rendered":"<div><img data-opt-id=1526848195  fetchpriority=\"high\" decoding=\"async\" width=\"770\" height=\"330\" src=\"https:\/\/devops.com\/wp-content\/uploads\/2026\/07\/Untitled-design-2026-07-14T085457.427.jpg\" class=\"attachment-large size-large wp-post-image\" alt=\"GitHub\" \/><\/div>\n<p><img data-opt-id=1885928385  fetchpriority=\"high\" decoding=\"async\" width=\"150\" height=\"150\" src=\"https:\/\/devops.com\/wp-content\/uploads\/2026\/07\/Untitled-design-2026-07-14T085457.427-150x150.jpg\" class=\"attachment-thumbnail size-thumbnail wp-post-image\" alt=\"GitHub\" \/><\/p>\n<p>A cluster of coordinated and overlapping campaigns that have been running for several months is abusing GitHub\u2019s API and leveraging dozens of \u201cghost\u201d accounts that have been dormant for years to map organizations and their developers.<\/p>\n<p>Many of the operations are using the API to scrape public information; some have gone further, including cloning private repositories, compromising users\u2019 tokens, and, in one case, exfiltrating data from a private repository, according to researchers with Datadog.<\/p>\n<p>The campaigns are not the result of a single bad actor, but what Julie Agnes Sparks, senior security engineer with Datadog, <a href=\"https:\/\/securitylabs.datadoghq.com\/articles\/coordinated-github-api-enumeration\/\" target=\"_blank\" rel=\"noopener\">described<\/a> as a \u201cblend of custom automated scanner tools, opportunistic abuse of leaked credentials, and coordinated networks of burner (ghost) accounts.\u201d<\/p>\n<p>\u201cIndividually, most of these requests are unremarkable,\u201d Sparks wrote. \u201cThey hit public endpoints, authenticate cleanly or not at all, and return successful responses. The concern lies in the aggregate: a group of accounts moving in sync across companies\u2019 GitHub organizations with versioned custom tooling iterating over weeks, and in the worst case, actors that stopped enumerating and started cloning.\u201d<\/p>\n<h3>Threat to Public Repositories<\/h3>\n<p>In the larger context, the coordinated campaigns are another example of how threat groups are increasingly <a href=\"https:\/\/devops.com\/gitlost-flaw-lets-attackers-trick-github-ai-agent-into-leaking-private-repos\/\">targeting developer environments<\/a> by compromising the code repositories \u2013 like <a href=\"https:\/\/devops.com\/critical-microsoft-github-flaw-highlights-dangers-to-ci-cd-pipelines-tenable\/\" target=\"_blank\" rel=\"noopener\">GitHub<\/a>, <a href=\"https:\/\/devops.com\/shai-hulud-clone-miasma-compromises-32-red-hat-npm-packages\/\">npm<\/a>, and the Python Package Index (PyPI) \u2013 they rely on. Fortran noted that GitHub has become the \u201cstandard for version control and collaborative software development,\u201d given that it <a href=\"https:\/\/www.fortra.com\/blog\/common-github-data-security-risks-explained\" target=\"_blank\" rel=\"noopener\">hosts more than 420 million repositories<\/a> and serves more than 150 million developers around the globe.<\/p>\n<p>The threat is only growing. According to Jacob Malimban, cyber analyst with Cofense, the number of malicious campaigns against Git repositories <a href=\"https:\/\/cofense.com\/blog\/the-growing-abuse-of-github-and-gitlab-in-phishing-campaigns#coderepo\" target=\"_blank\" rel=\"noopener\">has grown every year since 2021<\/a> \u2013 with almost 50% of the abuse during that time period happening in 2025 \u2013 primarily for credential phishing or to deliver malware.<\/p>\n<p>Cofense found that 95% of the campaigns targeted GitHub, with 5% abusing GitLab. In addition, 58% delivered credential phishing, with the other 42% bringing malware.<\/p>\n<h3>No Authentication Needed<\/h3>\n<p>According to Datadog\u2019s Sparks, much of what\u2019s available through GitHub\u2019s API can be reached without authentication. That includes an organization\u2019s public repositories, its users\u2019 followers and following lists, starred repositories, and organizational memberships. Likewise, running GraphQL queries against public objects can also bring in data. Given that all of these pathways are public, there\u2019s no alert regarding authentication.<\/p>\n<p>\u201cAn operator can build a detailed map of an organization, such as its public repositories, its members, who those members follow, and which projects they touch, entirely from public data,\u201d she wrote. \u201cThis traffic blends into normal API usage.\u201d<\/p>\n<p>Another challenge is that with external resources, GitHub doesn\u2019t collect geolocation data for events, which limits attribution based on where the signal is coming from and the VPN or proxy used. That said, the logs do record the GitHub actor that makes the request and the kind of access tokens they use.<\/p>\n<h3>The Use of Ghost Accounts<\/h3>\n<p>Another way the campaigns are keeping under the radar is through the use of ghost accounts. Datadog found more than 50 such accounts being used by the bad actors that have been left dormant for anywhere from two to five years before being activated to send API traffic to multiple organizations. Sparks noted that an account that\u2019s existed for multiple years often is considered more legitimate than one registered the same week it begins scraping data.<\/p>\n<p>The threat actors tend to use the ghost accounts for one to three weeks before their use ends. While in use, the accounts are given a mixture of names, from GitHub-Company-Scraper and GitHub-Scraper-Tool\/1.0 to more benign-sounding names such as GitHubAnalytics\/1.5.<\/p>\n<p>Most of them target <a href=\"https:\/\/devops.com\/apollo-graphql-delivers-on-promise-to-integrate-rest-apis\/\" target=\"_blank\" rel=\"noopener\">GraphQL<\/a>, an open-source query language for APIs, while others look to <a href=\"https:\/\/devops.com\/apollo-graphql-delivers-on-promise-to-integrate-rest-apis\/\">REST<\/a>, which Sparks said is what\u2019s expected when talking about mapping organizations. It won\u2019t give abusers access, but it will allow for reconnaissance.<\/p>\n<h3>Exposed Personal Tokens<\/h3>\n<p>Some campaigns used personal account tokens (PATs) exposed by users who posted them accidentally or had their systems compromised. One campaign between December and January used three stolen tokens from a progression of the same user agents and ran its infrastructure on a hosting provider, 3xK Tech, which has been the subject of several abuse reports.<\/p>\n<p>\u201cDozens of distinct legitimate GitHub user accounts made API requests to a single organization within a window of only a few minutes,\u201d Sparks wrote. \u201cTheir requests targeted private repository commit paths, and in this campaign, the attempts failed. The functional focus of this campaign was narrow and consistent: listing organization repositories, fetching commits, and probing private repository paths.\u201d<\/p>\n<p>There were a handful of cases in which campaigns were able to access data. In one, a user agent with the handle \u201crepo-dumper\u201d exfiltrated data from a private repository using a mix of Git cloning and API requests.<\/p>\n<h3>Keep an Eye on Indicators<\/h3>\n<p>Sparks wrote that among the indications of unauthorized activity in an organization\u2019s environment are user agents, event activity, and actor names. Datadog researchers are detecting a rise in legitimate vibe-coded or custom tools that have names similar to user agents they\u2019ve identified.<\/p>\n<p>\u201cIt\u2019s important to know what normal looks like in your environment,\u201d Sparks wrote. \u201cWe suggest enabling GitHub audit log streaming, baselining your user agents, proactively threat hunting, and developing detections unique to your GitHub organization.\u201d<\/p>\n<p><a href=\"https:\/\/devops.com\/github-api-abuse-ghost-accounts-part-of-malicious-efforts-to-map-organizations\/\" target=\"_blank\" class=\"feedzy-rss-link-icon\">Read More<\/a><\/p>\n<p>\u200b<\/p>","protected":false},"excerpt":{"rendered":"<p>A cluster of coordinated and overlapping campaigns that have been running for several months is abusing GitHub\u2019s API and leveraging [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":4579,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[5],"tags":[],"class_list":["post-4578","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-devops"],"_links":{"self":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts\/4578","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/comments?post=4578"}],"version-history":[{"count":0,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts\/4578\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/media\/4579"}],"wp:attachment":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/media?parent=4578"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/categories?post=4578"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/tags?post=4578"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}