Home/ Blog/ Security news/ Article
Blog · Security news

Ghost accounts are mapping your GitHub org. The recon is invisible; the stolen token is not.

Datadog found 50+ dormant GitHub accounts enumerating corporate orgs through the public API, some escalating to private-repo clones with stolen tokens. The

Dim network map of folders with faint bright lines tracing paths to one glowing container

Reconnaissance rarely trips an alarm, and that is the whole problem with the GitHub campaign Datadog Security Research disclosed this week. The traffic looks ordinary: years-old accounts, public endpoints, clean HTTP 200 responses, not a single failed login. There is nothing to patch, and for most of the activity, nothing you can reliably detect. Reading this as "block the scanning" burns the short window you have before the mapping turns into access. The moment worth your attention is not the enumeration. It is the point where a stolen token clones a private repository.

What Datadog actually found

Since October 2025, Datadog's researchers have tracked more than 50 dormant accounts taking part in coordinated GitHub API enumeration. The accounts were created years earlier, sat idle to avoid looking new, then woke up for short bursts of one to three weeks and moved across many companies at once. They follow recognizable naming patterns, including an amazon-data-* prefix, an -orb family such as kuku-orb and zouzou-orb, and throwaway handles like BirdWithDreams and user432023.

The queries hit GitHub's public API, especially the GraphQL endpoint, to pull organizations, repositories, members, follower graphs, gists, and starred projects in bulk. That surface needs no authentication and returns success codes, so the requests blend into normal developer and tooling traffic. Senior security engineer Julie Agnes Sparks said the operators run automated scrapers carrying either bespoke or innocuous-looking client identifiers, driving them through the ghost accounts or through OAuth grants and personal access tokens taken from real users. In a set of cases the activity went past public data: a client calling itself repo-dumper successfully cloned a private repository, with the audit log capturing the theft as a mix of git clone and API calls to private paths.

Why the recon half is a detection trap

The enumeration is engineered to be indistinguishable from legitimate use, and that defeats the obvious defensive instinct. Aged accounts sail past any "new account" heuristic. Public data means there is no failed-auth event to key on. If you write a detection for "someone is enumerating our org through the API," it will fire on every developer, every continuous integration job, and every dependency scanner that reads your public repositories. Datadog's own framing is that each request is unremarkable on its own, and the signal only appears in the aggregate: a cluster of accounts moving in sync across many companies.

That aggregate is real, but here is the part the coverage glosses over: seeing it requires a vantage point across many organizations at once. GitHub can correlate that from the platform side. A single customer looking at its own logs almost never can, because from inside one org the campaign is just a handful of ordinary-looking reads. So account age is the wrong trust signal to build on, and cross-org correlation is not a detection most defenders can run. Chasing the recon is effort spent on the one stage of this attack you are structurally least equipped to catch.

The signal that actually matters

Sort the activity by what your own audit log can prove, and the picture inverts. The mapping is noise you cannot separate from real traffic. The escalation is a high-confidence event, because cloning a private repository is not something a public, unauthenticated scanner can do. It needs a credential, and that credential leaves a specific fingerprint.

GitHub activityAudit-log fingerprintDetection value
Public org, member, and repo enumeration via GraphQLHTTP 200, no auth failure, public pathsLow: indistinguishable from normal developer and tooling reads
Bursts from aged "ghost" accountsLegitimate account, years old, active 1 to 3 weeksLow alone: defeats new-account rules, needs cross-org context you rarely have
Private repo clone or archive download via stolen tokengit clone or zip download to a private path, programmatic OAuth or PAT, odd user agentHigh: this is where you build the alert
Sorted by what a single organization's own GitHub audit log can prove. Source: Datadog Security Research.

The alert to write keys on the escalation row: a clone or archive download against a private repository, where the access type is a personal access token or OAuth grant, and the user agent is one you have never baselined or the actor and source IP are new for that identity. Datadog points defenders at exactly this, streaming the audit log and building detections around anomalous user agents on private-repository access rather than the enumeration itself. The token-theft wave that fed these clones landed across the turn of the year, late December 2025 into the first days of January 2026, so the leaked credentials predate the enumeration bursts you would see now.

This is the reconnaissance stage of a kill chain you have seen before

Read on its own, org mapping sounds like harmless open-source intelligence. Placed in sequence, it is stage one. Map the organization to find the repositories and the people worth targeting, harvest or reuse a leaked token, then act inside the org as a trusted identity. We have already documented what stage two looks like. In Cordyceps, a free account pushed code as a trusted maintainer through a GitHub Actions flaw. In GitLost, a crafted public issue tricked an AI agent into leaking a private repository. This campaign is the quiet survey that makes those later moves precise.

The common thread across all three is that GitHub itself is rarely the thing that breaks. The pivot is an identity: a leaked token, a free account granted too much trust, an agent acting on attacker input. Which means the control that pays off is not a GitHub patch. It is treating every personal access token and OAuth grant as a live credential that will eventually leak, and shrinking what a leaked one can reach.

What to do this week

Four moves, in order of return. First, turn on audit log streaming if it is off, and baseline the user agents that legitimately touch your private repositories, so an unknown one stands out. Second, write the detection on the escalation, not the enumeration: private-repo clone or archive download by a token whose user agent, actor, or source IP is new. Third, work the token surface, because the whole escalation depends on a stolen credential: expire and tightly scope personal access tokens, prefer fine-grained tokens over classic ones, rotate OAuth grants, and hunt for tokens committed into code. Fourth, shrink the recon yield as attack-surface reduction: set organization member visibility to private, prune stale public repositories and forks, and check which internal-looking repos are public by accident.

None of this stops a stranger from reading what you have chosen to make public, and it is not meant to. The recon is going to happen and you will not see most of it. The goal is to make the enumeration return less, and to make sure the one action that actually costs you, a stolen token reaching into a private repository, is the loudest event in your log rather than the quietest.

Topics

Frequently asked questions

What did Datadog find in the GitHub enumeration campaign?

Datadog Security Research tracked more than 50 dormant GitHub accounts that, since October 2025, enumerated corporate organizations, repositories, and members through the public API. Some activity escalated to cloning private repositories using stolen OAuth tokens and personal access tokens.

Why is GitHub API enumeration so hard to detect?

The queries hit public endpoints that need no authentication and return success codes, so they look like normal developer and tooling traffic. The attackers also use accounts created years earlier, which defeats any detection based on new-account activity.

What GitHub activity should defenders actually alert on?

Alert on the escalation, not the enumeration. The high-value event is a clone or archive download against a private repository by a personal access token or OAuth grant whose user agent, actor, or source IP is new for that identity. That requires a credential a public scanner does not have.

How do attackers get access to private repositories here?

Through stolen credentials, not a GitHub vulnerability. The campaign reused OAuth tokens and personal access tokens leaked from legitimate users, harvested in a token-theft wave around the turn of the year, late December 2025 into early January 2026, then used them to clone private repositories.

How do I reduce what this GitHub reconnaissance can collect?

Treat public org metadata as attacker targeting data. Set organization member visibility to private, prune stale public repositories and forks, and review which internal-looking repos are public by accident. Pair that with tight token hygiene, since the escalation depends on a leaked credential.

Ready to meet the Guardians?

Deploys fast - agentless for monitoring and cloud, a lightweight agent for deep endpoint security. Just Suriq, standing watch.