Close Menu

    Subscribe to Updates

    Get the latest Tech news from SynapseFlow

    What's Hot

    Ghost Accounts Abuse GitHub API in Mass Recon Campaign

    July 11, 2026

    Palantir Insiders Disgusted by Company’s Leadership

    July 11, 2026

    Austrian Audio The Arranger review: wired open-backed headphones that can turn their hand to almost anything

    July 11, 2026
    Facebook X (Twitter) Instagram
    • Homepage
    • About Us
    • Contact Us
    • Privacy Policy
    Facebook X (Twitter) Instagram YouTube
    synapseflow.co.uksynapseflow.co.uk
    • AI News & Updates
    • Cybersecurity
    • Future Tech
    • Reviews
    • Software & Apps
    • Tech Gadgets
    synapseflow.co.uksynapseflow.co.uk
    Home»Cybersecurity»Ghost Accounts Abuse GitHub API in Mass Recon Campaign
    Ghost Accounts Abuse GitHub API in Mass Recon Campaign
    Cybersecurity

    Ghost Accounts Abuse GitHub API in Mass Recon Campaign

    The Tech GuyBy The Tech GuyJuly 11, 2026No Comments3 Mins Read0 Views
    Share
    Facebook Twitter LinkedIn Pinterest Email
    Advertisement


    Threat actors are abusing the GitHub API to systematically enumerate organizations, repositories, and user accounts, Datadog reports.

    Advertisement

    Spanning multiple overlapping campaigns, the activity has been ongoing for several months, relying on ghost accounts that were registered two to five years ago but left dormant.

    The activity, Datadog says, involves automated scanners, the abuse of leaked credentials, and coordinated networks of dormant accounts.

    While the observed GitHub API requests are targeting publicly available data, blending with normal traffic, the continuous activity that in some cases escalated to the attackers cloning discovered repositories raises concern.

    “A large share of GitHub’s API surface is reachable without authentication. Listing an organization’s public repositories, walking a user’s followers and following lists, enumerating gists, starred repos, and org memberships, and running GraphQL queries against public objects all return data,” Datadog explains.

    Requests against these public paths generate HTTP 200 responses and no authentication failure signals. Through normal API traffic, an operator can use this to map an organization, its members, and the projects they access.

    Advertisement. Scroll to continue reading.

    Since at least October 2025, over 50 ghost accounts have been used to send API traffic as part of the enumeration, usually in bursts of 1 to 3 weeks, across multiple organizations.

    The accounts have been using user agents named to sound like data exfiltration, analytics, or dashboard tools. Most of the requests have been targeting GraphQL, while others have been aimed at REST routes.

    “On its own, this enumeration rarely produces meaningful access inside an organization, rather it’s accomplishing reconnaissance,” Datadog notes.

    One campaign was also seen using inadvertently exposed tokens from legitimate GitHub users, targeting private repository commit paths from dozens of legitimate accounts over a window of several minutes.

    In rare cases, the attackers moved beyond reconnaissance and successfully exfiltrated data from the targeted organizations, Datadog says.

    To detect this type of malicious activity, the cybersecurity firm notes, defenders should look for data exfiltration from private repositories, and should check logs for anomalous user agent behavior and for user agent naming and versioning in actions that reach private repositories.

    “User agents, event activity, and actor names are vital clues to unauthorized activity in your environment. It’s important to know what normal looks like in your environment. We suggest enabling GitHub audit log streaming, baselining your user agents, proactively threat hunting, and developing detections unique to your GitHub organization,” Datadog notes.

    Related: Network of 200 GitHub Repositories Used for Malware Infection

    Related: China, India-Linked Hackers Both Targeted Same Pakistani Police Force

    Related: Okta Warns of Vishing Attacks Targeting Microsoft 365 Customers

    Related: Chinese Framework Powers 200,000 Scam Sites

    Advertisement
    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
    The Tech Guy
    • Website

    Related Posts

    GigaWiper Combines Multiple Malware for System-Level Sabotage

    July 11, 2026

    Okta Warns of Vishing Attacks Targeting Microsoft 365 Customers

    July 11, 2026

    China, India-Linked Hackers Both Targeted Same Pakistani Police Force

    July 11, 2026

    In Other News: DHS Database Hacked, Adobe Boosts Patch Cadence, Canada Disrupts Ransomware Ops

    July 10, 2026

    Third US Security Expert Sentenced to Prison for Helping Ransomware Gang

    July 10, 2026

    Palo Alto Networks Patches 13 Vulnerabilities

    July 10, 2026
    Leave A Reply Cancel Reply

    Advertisement
    Top Posts

    You don’t need a NAS to self-host — I proved it with hardware from my closet

    June 7, 2026253 Views

    Spotify is giving one of its best playlists a big visual upgrade to give subscribers ‘a closer connection’ to its New Music Friday curators — and I think it could be the update it’s always needed

    June 12, 2026157 Views

    The iPad Air brand makes no sense – it needs a rethink

    October 12, 202516 Views
    Stay In Touch
    • Facebook
    • YouTube
    • TikTok
    • WhatsApp
    • Twitter
    • Instagram
    Advertisement
    About Us
    About Us

    SynapseFlow brings you the latest updates in Technology, AI, and Gadgets from innovations and reviews to future trends. Stay smart, stay updated with the tech world every day!

    Our Picks

    Ghost Accounts Abuse GitHub API in Mass Recon Campaign

    July 11, 2026

    Palantir Insiders Disgusted by Company’s Leadership

    July 11, 2026

    Austrian Audio The Arranger review: wired open-backed headphones that can turn their hand to almost anything

    July 11, 2026
    categories
    • AI News & Updates
    • Cybersecurity
    • Future Tech
    • Reviews
    • Software & Apps
    • Tech Gadgets
    Facebook X (Twitter) Instagram Pinterest YouTube Dribbble
    • Homepage
    • About Us
    • Contact Us
    • Privacy Policy
    © 2026 SynapseFlow All Rights Reserved.

    Type above and press Enter to search. Press Esc to cancel.

    Ad Blocker Enabled!
    Ad Blocker Enabled!
    Our website is made possible by displaying online advertisements to our visitors. Please support us by disabling your Ad Blocker.