How the Attack Works
Security researchers have uncovered a coordinated campaign leveraging more than 50 dormant GitHub accounts to conduct reconnaissance on corporate organizations, their repositories, and developers. The attackers use GitHub’s API to collect publicly available information, but in some cases they have successfully accessed private source code repositories. The operation relies on accounts created two to five years ago that remained inactive until recently, when they suddenly began making API requests. This aging strategy helps the accounts appear more legitimate than newly created profiles used for mass scraping.
Scope and Impact
Multiple overlapping campaigns have been active since at least October, using automated tools, compromised access tokens, and networks of long dormant ghost accounts. Datadog confirmed that over 50 accounts participated in reconnaissance activity, often operating for only one to three weeks before going silent. The attackers primarily queried GitHub’s /graphql endpoint for bulk organization, user, and repository information, and also used REST API routes to list memberships, followers, and activity. While most private repository requests failed, researchers documented one confirmed incident where a tool successfully executed git clone and API actions against a private repository. Security teams should enable GitHub audit log streaming and establish baselines of normal API activity to detect these threats.
Source: Cyber Security News

