Datadog Security Labs has uncovered sophisticated and coordinated threat campaigns systematically targeting corporate GitHub organizations, repositories, and user accounts via the GitHub API. These ongoing efforts, which have been actively monitored, indicate a clear intent to gain unauthorized access to sensitive development assets, raising significant concerns for supply chain security.
The campaigns are characterized by the exploitation of dormant and compromised user accounts, combined with custom scraping tools, to enumerate public and, in some cases, private data within GitHub environments. Threat actors are leveraging a multi-pronged approach, utilizing both “ghost” accounts—often inactive for years—and compromised personal access tokens (PATs) and OAuth tokens from legitimate users to mask their malicious activities.
GitHub API Enumeration Campaigns Underscore Supply Chain Security Risks
Datadog Security Labs, in its recent advisory, detailed how threat actors are employing automated tooling with deliberately crafted user agents, including legitimate-sounding ones, to systematically scan GitHub organizations. This process aims to map out an organization’s development footprint by cataloging public repositories, user relationships, and group memberships. The primary objective appears to be information gathering for potential future exploitation.
Exploiting Dormant Accounts and Compromised Tokens
A key tactic involves the strategic use of “ghost” accounts, dormant for two to five years, which are then reactivated for API traffic. This dormancy strategy is intended to bypass security alerts that might be triggered by new account activity. In parallel, threat actors are compromising PATs and OAuth tokens from legitimate users, providing them with deeper access and further obfuscating their origins. This combination of techniques allows for sustained and widespread enumeration without immediately raising red flags.
According to Julie Agnes Sparks, a senior security engineer at Datadog, “Operators rely on automated scraping tooling with custom or legitimate-sounding user agents, leveraging GitHub ‘ghost’ accounts that are often years old, or compromised OAuth tokens and personal access tokens (PATs) from legitimate users.” This highlights the adaptable and persistent nature of the threat.
Beyond Public Data: Cloning Private Repositories
While many enumeration queries target publicly accessible data, the campaigns have demonstrated a concerning escalation. In select instances, threat actors have successfully moved beyond public visibility to clone private repositories. This indicates a potential shift from passive reconnaissance to active data exfiltration, representing a serious breach of confidentiality and a direct threat to intellectual property and sensitive code.
The effectiveness of these campaigns stems from the readily accessible nature of much of GitHub’s API surface. Without strict authentication, numerous enumeration queries can be executed, often blending seamlessly with legitimate API usage. Queries that list public repositories, map user connections (followers and following), enumerate gists, starred repositories, and organization memberships, as well as run GraphQL queries against public objects, are all potential tools for attackers.
The aggregated impact of these individual queries is significant. “Individually, most of these requests are unremarkable. They hit public endpoints, authenticate cleanly or not at all, and return successful responses,” Datadog observed. “The concern lies in the aggregate: a group of accounts moving in sync across companies’ GitHub organizations with versioned custom tooling iterating over weeks, and in the worst case, actors that stopped enumerating and started cloning.” This collective action, synchronized across multiple organizations and over extended periods, amplifies the intelligence gathering capabilities of the attackers.
Implications for Software Development and Supply Chain Security
The ability of threat actors to enumerate an organization’s GitHub activity programmatically, including its public repositories, membership, and the projects being worked on, provides a comprehensive picture for further targeting. This detailed mapping can inform phishing campaigns, social engineering attacks, or pinpoint specific vulnerabilities within an organization’s development workflow. The verified instances of private repository cloning represent the most severe outcome, directly compromising source code and potentially exposing proprietary algorithms, sensitive configurations, or credentials embedded within the code.
The ongoing nature of these coordinated campaigns suggests that organizations must rigorously review their GitHub security posture. This includes diligent management of PATs and OAuth tokens, enforcing multi-factor authentication, regularly auditing account activity, and implementing robust monitoring for anomalous API usage patterns. The threat landscape continues to evolve, and proactive measures are crucial to defending against sophisticated supply chain attacks that leverage the very tools and platforms intended for collaboration and innovation.
The next expected step in monitoring these campaigns will likely involve tracking any further escalation in the types of data accessed or the scope of organizations targeted. Security researchers will continue to analyze the techniques and tools employed by these threat actors, providing updates as the situation develops. Organizations are advised to remain vigilant and implement recommended security practices to safeguard their development environments.

