What's Happening?
Threat actors have been exploiting the GitHub API to conduct a large-scale reconnaissance campaign, as reported by Datadog. This activity involves the use of ghost accounts, which were registered years ago but remained dormant until recently. These accounts are
being used to systematically enumerate organizations, repositories, and user accounts. The campaign relies on automated scanners and leaked credentials to access publicly available data, blending in with normal traffic. The attackers have been targeting GraphQL and REST routes, with some instances escalating to cloning discovered repositories.
Why It's Important?
This campaign highlights significant vulnerabilities in the way public data is accessed and managed on platforms like GitHub. The ability of attackers to conduct reconnaissance without triggering authentication failures poses a risk to organizations that rely on GitHub for code management and collaboration. The potential for data exfiltration, even if rare, underscores the need for enhanced security measures and monitoring. Organizations using GitHub must be vigilant in detecting unauthorized activity and protecting sensitive information, as successful breaches could lead to intellectual property theft and other security breaches.
What's Next?
Organizations are advised to implement robust monitoring and detection strategies to identify and mitigate unauthorized access attempts. This includes enabling GitHub audit log streaming, baselining user agents, and developing custom threat detection mechanisms. As the campaign continues, cybersecurity firms and affected organizations will likely collaborate to enhance security protocols and share intelligence on emerging threats. The broader cybersecurity community may also push for changes in API access policies to prevent similar abuses in the future.













