XOOMAR
Ghostly accounts mapping API metadata across a dark secured code network
CybersecurityJuly 11, 2026· 7 min read· By XOOMAR Insights Team

Ghost Accounts Forge Attack Maps With GitHub API Abuse

Share
Updated on July 11, 2026

GitHub’s public API is supposed to make developer collaboration easier, but Datadog says threat actors are now using that openness to build organization maps at scale through GitHub API abuse.

XOOMAR Intelligence

Analyst Take

66/ 100
Moderate
4 sources analyzedLow confidenceTrend10Freshness100Source Trust85Factual Grounding93Signal Cluster20

Multiple overlapping campaigns have used more than 50 dormant “ghost accounts” to enumerate GitHub organizations, repositories, and users since at least October 2025, according to SecurityWeek. The accounts were registered two to five years ago, left quiet, then activated in bursts lasting 1 to 3 weeks.

XOOMAR analysis: the core risk isn’t that GitHub exposes secrets by default. Datadog’s finding points to a subtler problem. Public developer metadata can be stitched into a targeting dossier, and the API makes that process clean, repeatable, and hard to separate from normal usage.

Ghost GitHub Accounts Turn Public Metadata Into an Attack Map

The campaigns targeted data that is largely public: organization repositories, user accounts, followers, following lists, gists, starred repositories, organization memberships, and public objects available through GraphQL queries.

That sounds benign in isolation. It isn’t.

A single request to list public repositories may not mean much. A coordinated set of accounts querying many organizations over weeks can map who works where, which projects are active, and which repositories sit closest to valuable engineering work. Datadog characterized the activity as reconnaissance rather than routine scraping, noting that enumeration may not create access by itself but can help attackers understand an organization’s development footprint.

The attackers also used user agents with names that appeared to resemble data collection, analytics, dashboard, or scraping tools.

That naming can be blatant. But the traffic worked because the underlying requests often looked legitimate.


GitHub API Abuse Makes Recon Faster Than Manual Browsing

Manual browsing leaves attackers with pages to click through. GitHub API abuse gives them structured output.

Datadog said much of the observed traffic targeted GraphQL, with other requests aimed at REST routes. That matters because APIs return data in a form that can be stored, searched, and compared across targets. An attacker doesn’t need to read every repository page. They can collect organization and user data first, then decide where to spend attention.

The shift looks like this:

  • Before: Browse public GitHub pages, search for interesting repositories, manually inspect maintainers and activity.
  • After: Use dormant accounts and API calls to enumerate organizations, repositories, members, gists, starred repos, and public relationships across many targets.
  • Before: Recon depends heavily on human attention.
  • After: Recon feeds databases, scanners, and later credential or access checks.
  • Before: One noisy account is easier to flag.
  • After: Many older accounts can spread activity and reduce obvious single-account anomalies.

The ghost account detail is the key. Accounts created years earlier may appear less suspicious than accounts registered right before a scan begins. Datadog observed coordinated networks of these dormant accounts, not just one-off scraping.

This is where GitHub’s collaboration model cuts both ways. The same public surface that helps developers find projects and people also helps attackers sort organizations by engineering footprint.

The Numbers That Show Recon Was Coordinated, Not Random

The most important number is more than 50.

Datadog observed over 50 ghost accounts used in the enumeration activity since at least October 2025. Those accounts operated in bursts of 1 to 3 weeks and moved across multiple organizations.

Campaign signal Datadog-observed behavior Why defenders should care
Ghost accounts Registered two to five years ago, then activated Older accounts may blend better than brand-new accounts
Activity window Bursts of 1 to 3 weeks Short campaigns reduce the trail left by any one account
API focus Heavy use of GraphQL, plus REST routes Structured data collection beats manual browsing
Response pattern Public-data requests resembled ordinary API traffic Lack of obvious login-failure signals can make alerting harder
Escalation cases Rare movement to private repository access Recon can become access when credentials are available

Datadog’s point about ordinary-looking API activity is crucial. Requests focused on public data can be allowed behavior, not failed logins, which means defenders may have fewer clear authentication-failure signals to investigate.

Datadog’s reporting describes public API activity involving organization repositories, followers and following lists, gists, starred repositories, organization memberships, and GraphQL queries against public objects. In isolation, those requests may look routine. In aggregate, they can reveal a coordinated mapping effort.

XOOMAR analysis: this is a detection problem more than a permissions problem. The requests may be allowed. The pattern is what makes them suspicious.

Stolen Tokens Turned Mapping Into Private-Repo Probing

Most of the activity Datadog described involved public data. But one observed campaign involved compromised OAuth tokens or personal access tokens associated with legitimate GitHub users, with activity moving toward private repository access through git clone and API requests.

That changes the risk profile.

Public recon tells an attacker what exists. A valid OAuth token or personal access token can test whether private paths are reachable. Datadog reported that rare cases moved beyond reconnaissance, including at least one observed case of successful private repository access.

This is the moment where “public metadata” stops sounding harmless. A map of repositories and members becomes more valuable when paired with compromised credentials.

The pattern also sits beside other GitHub-centered risks we’ve covered, including GitLost Turns GitHub Agentic Workflows Against Private Repos. For a different class of security tooling failure, see our coverage of the Microsoft Defender flaw that lets hackers seize SYSTEM access.

Developers, Security Teams, and GitHub Are Solving Different Problems

Developers benefit from visibility. Public profiles, repository activity, and organization links support collaboration, trust, and hiring signals. Locking all of that down would damage the value that made GitHub central to software work.

Security teams have a different problem. They need to know when normal visibility becomes coordinated enumeration. Datadog recommends watching for anomalous user agent behavior, user agent naming and versioning, event activity, actor names, and access involving private repositories.

GitHub’s platform challenge is harder. Research tools, search indexing, analytics products, dashboards, and legitimate integrations can all touch public APIs. A coordinated recon campaign may stay close enough to allowed behavior that simple blocking would catch the wrong users.

Attackers benefit from the gap. Ghost accounts lower friction. Public API paths avoid authentication failures. Compromised legitimate tokens can move activity from mapping to private access.


Engineering Teams Should Treat Public GitHub Metadata as Exposure

The practical move is not panic. It’s inventory.

Security teams should ask a blunt question: if an outsider queried the public GitHub API against our organization, what would they learn?

Datadog’s advice centers on visibility into user agents, event activity, actor names, and organization-specific baselines. The recommended defensive direction is to enable GitHub audit log streaming where available, understand normal activity, hunt proactively, and build detections tailored to each GitHub organization.

Useful controls from the source-supported findings include:

  • Audit logs: Enable GitHub audit log streaming where available.
  • User agents: Baseline normal user agents and investigate unusual naming or versioning.
  • Private repo access: Prioritize any activity that reaches private repositories, especially clone or API request events.
  • Actor patterns: Hunt for repeated enumeration by unfamiliar accounts across organization endpoints.
  • Token exposure: Investigate legitimate user tokens that touch private paths unexpectedly.

XOOMAR analysis: defenders should also run their own public recon against their GitHub organizations. If your team can map repos, members, and project relationships through public routes, attackers can too.

The Next Control Fight Is Reputation, Not Just Authentication

The watch item now is whether GitHub and enterprise customers move toward reputation-based detection for API behavior: account history, coordinated query timing, cross-organization activity, suspicious user agents, and sudden activation of dormant accounts.

That would not be a clean fix. Legitimate automation can look weird. Researchers can query broadly. Public data is public for a reason.

The evidence that would confirm Datadog’s warning is more cases where enumeration leads to private repository access through exposed tokens or legitimate accounts. The evidence that would weaken it is sustained public recon with no meaningful escalation and no private-resource contact.

For now, the signal is clear enough: GitHub API abuse has turned public developer metadata into a usable attack map. Teams that treat that metadata as harmless are leaving attackers with the first draft already written.

Impact Analysis

  • Attackers can turn public GitHub metadata into detailed maps of an organization’s engineering footprint.
  • Dormant accounts make reconnaissance harder to distinguish from legitimate API usage.
  • Security teams may need to monitor public API access patterns, not just exposed secrets or private repository access.

Ghost Account Dormancy Before Activation

Minimum age
years2
Maximum age
years5
XOOMAR

Written by

XOOMAR Insights Team

Research and Editorial Desk

The XOOMAR Insights Team pairs automated research with human editorial judgment. We track hundreds of sources across technology, fintech, trading, SaaS, and cybersecurity, cross-check the facts, and explain what happened, why it matters, and what to watch next. We do not just rewrite headlines. Every article is fact-checked and scored for reliability before it goes live, and we link back to the original sources so you can verify anything yourself.

Related Articles

AI coding agent lured by a clean repo into malware trap with reverse shell connectionCybersecurity

Clean GitHub Repo Tricks AI Coding Agents Into Malware

A clean GitHub repo can trick AI coding agents into fixing setup errors that execute malware and open a reverse shell.

Jun 27, 20268 min
AI workflow security breach exposing private repository data through a malicious issueCybersecurity

GitLost Turns GitHub Agentic Workflows Against Private Repos

GitLost shows one malicious public GitHub Issue can hijack AI workflows and reach private repo data without stolen credentials.

Jul 10, 20267 min
Enterprise endpoint shield blocks a rogue cyber intrusion in a dark data protection scene.Cybersecurity

Microsoft Defender Flaw Lets Hackers Seize SYSTEM Access

Microsoft patched RoguePlanet, a Defender flaw that could let attackers turn low-level access into SYSTEM control.

Jul 9, 20268 min
Generic router with glowing backdoor portal and broken security shield in a dark cybersecurity sceneCybersecurity

Tenda Firmware Backdoor Lets Attackers Seize Routers

A hidden Tenda login path can grant admin access without valid credentials, and there's no patch yet.

Jul 9, 202611 min
Hospital IT breach scene with protected medical devices, servers, shields, locks, and data streams.Cybersecurity

3.8 Million Caught in Medtronic Data Breach Fallout

Medtronic says devices stayed safe, but 3.8 million people had personal and medical data exposed through corporate IT.

Jul 3, 202611 min
Futuristic mobile video editing workspace with green screen glow and AI authenticity visuals.Technology

Stolen Clips Face X Video Editor's First iOS Tools

X's new iOS video editor adds captions and green screen tools to push creators toward original uploads and away from stolen viral reposts.

Jul 11, 20266 min
Modern smartphone with abstract glowing status icons in a futuristic tech workspaceTechnology

Android Status Bar Icons Reveal Your Phone's Hidden Trouble

Android status bar icons can flag broken Wi-Fi, silenced alerts, roaming, and battery limits before you open settings.

Jul 11, 20268 min
Unbranded rocket launch reflected on trading floor screens with tokenized equity market visualsTrading

SpaceX IPO Hijacks Tokenized Equities in $3.86B Frenzy

SpaceX-linked tokens made up 31% of June's $3.86B tokenized equities volume, turning a market record into a single-asset story.

Jul 11, 20266 min
Bitcoin treasury selloff shifting capital toward AI data centers in a modern fintech office.Fintech

Empery Digital Dumps Half Its Bitcoin for AI Data Centers

Empery Digital sold 1,400 BTC for $87.1M, ditching half its stack to chase AI data centers as the treasury trade cracks.

Jul 11, 202610 min
Astrophysicist reviews glowing UAP data in a futuristic government science room.Technology

Avi Loeb Takes White House UAP Helm as Critics Circle

Avi Loeb will chair a White House-backed UAP science council, putting a polarizing alien-tech advocate inside federal UFO review.

Jul 11, 20266 min

Don't miss the signal

Get our weekly roundup of the stories that matter across tech, fintech, and trading. No noise, just signal.

Free forever. No spam. Unsubscribe anytime.