Hackers Turn 50+ Dormant GitHub Accounts Into a Network for Corporate Source Code Recon

Hackers Turn 50+ Dormant GitHub Accounts Into a Network for Corporate Source Code Recon










Research has uncovered coordinated campaigns that use more than dormant GitHub accounts to map corporate organizations, repositories, and developers.

The activity relies on GitHub’s API to collect public information. However, some operators have also attempted to access private source code repositories and, in rare cases, succeeded.

The campaigns have been active since at least October. Rather than involving a single threat actor, the researchers observed multiple overlapping operations that used automated tools, compromised access tokens, and networks of long-dormant “ghost” accounts.

Many of the accounts were created two to five years ago. They remained inactive until they suddenly began making API requests across several GitHub organizations.

This aging strategy may help attackers appear more legitimate than newly created accounts used for mass scraping.

Hackers Hijack GitHub Accounts for Recon

The accounts followed recognizable naming patterns, including the amazon-data-* prefix, the *-orb family, and repetitive usernames such as BirdWithDreams, BirdWithPlan, user432023, and user412023.

Datadog confirmed that more than such accounts participated in reconnaissance activity, often operating for only one to three weeks before going quiet.

Attack flow of coordinated GitHub API enumeration and access token abuse ( source : securitylabs.datadoghq )
Attack flow of coordinated GitHub API enumeration and access token abuse ( source: securitylabs.datadoghq )

The attackers primarily queried GitHub’s /graphql endpoint, which supports bulk requests for organization, user, and repository information.

They also used REST API routes to list public repositories, organization memberships, followers, gists, starred projects, and user activity.

Because much of this data is public, the requests often return successful HTTP responses. They may appear to be legitimate use of the GitHub API.

Attackers can use this information to build a detailed picture of a company’s developers, projects, technology stack, open-source exposure, and potential targets for further compromise.

Several campaigns used suspicious user-agent strings, including GitHub-Company-Scraper, GitHub-Scraper-Tool/1.0, and GitHubAnalytics/1.5.

BirdWithPlan GitHub user ( source : securitylabs.datadoghq )
BirdWithPlan GitHub user (source: securitylabs.datadoghq )

Other tools attempted to appear legitimate by using names linked to analytics, dashboards, monitoring, or repository analysis.

One campaign used the simple request user agent, which stands out from the more common versioned tool names. Datadog also identified activity involving stolen OAuth tokens and personal access tokens.

Between late December and early January, the credentials of dozens of legitimate GitHub users were compromised and used to access a single organization within minutes.

The operators cycled through user agents such as GitHub-Commit-Fetcher/1.3, GitHub-Commit-Fetcher/1.4, and GitHub-Event-Fetcher/2.2.

These requests attempted to list repositories, retrieve commit data, and access private repository paths.

While many private repository requests failed, Datadog documented one confirmed incident in which a tool identified as repo-dumper successfully executed git clone and API actions against a private repository.

The campaign highlights how public GitHub metadata can support corporate reconnaissance before attackers attempt credential abuse or source code theft.

Security teams should enable GitHub audit log streaming and establish a baseline of normal API activity in their environments.

Defenders should investigate successful API requests, Git clone operations, and ZIP downloads involving private repositories, especially when OAuth tokens or personal access tokens are used.

Key signals include unusual user agents, unexpected account activity, suspicious token types, abnormal request volume, and source infrastructure linked to hosting providers such as 3xktech[.]cloud and cherryservers[.]com.

Stop Accepting SLAs Written for 2019 SOCs – Here’s the 2026 AI SLA Vendor ChecklistDownload Free AI SOC SLA Guide

The post Hackers Turn 50+ Dormant GitHub Accounts Into a Network for Corporate Source Code Recon appeared first on Cyber Security News.






Abinaya





Go to cyber-security-news





Posted

in

, ,

by