Dormant GitHub Accounts Expose Corporate Codebases to Stealth Scraping
Attackers are using aged GitHub accounts to map corporate organizations without detection. These ghost accounts enable persistent reconnaissance through GitHub's API.
TL;DR
- Multiple threat actors are systematically scanning corporate GitHub organizations using dormant accounts
- These 'ghost' accounts are often years old, making them appear legitimate to evade detection
- Automated tools with realistic user agents are scraping repositories and user data at scale
- Compromised OAuth tokens are also being leveraged for unauthorized access
- Organizations should audit inactive accounts and monitor API usage patterns
Security researchers at Datadog Security Labs have uncovered coordinated campaigns targeting corporate GitHub infrastructure through sophisticated reconnaissance methods. These attacks leverage legitimate-looking but inactive GitHub accounts to avoid detection while systematically mapping organizational structures, repositories, and user accounts.
The threat actors employ automated scraping tools that mimic normal GitHub traffic patterns, making their activities difficult to distinguish from legitimate usage. This technique represents a significant evolution in how attackers gather intelligence about potential targets before launching more direct attacks.
Reconnaissance Tactics
- Attackers use GitHub API to enumerate corporate organizations, repositories, and user accounts
- Automated scraping tools employ custom or legitimate-sounding user agents to avoid suspicion
- Ghost accounts that are years old provide credibility and help bypass security monitoring
- Some campaigns leverage compromised OAuth tokens for authenticated access to private resources
Defensive Recommendations
- Audit GitHub organizations for dormant or unused accounts that could be exploited
- Monitor API usage patterns for unusual enumeration activity from seemingly legitimate accounts
- Implement rate limiting and access controls on GitHub API endpoints
- Review and rotate OAuth tokens regularly to prevent unauthorized access
- Establish monitoring alerts for suspicious repository scanning behavior
Sources
Sources
Security email updates
One digest email when we publish new security articles (TL;DR plus links to read more). Unsubscribe anytime from the message footer. See our Privacy Policy.