{"id":14204,"date":"2026-07-10T10:03:41","date_gmt":"2026-07-10T10:03:41","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/07\/10\/hackers-turn-50-dormant-github-accounts-into-a-network-for-corporate-source-code-recon\/"},"modified":"2026-07-10T10:03:41","modified_gmt":"2026-07-10T10:03:41","slug":"hackers-turn-50-dormant-github-accounts-into-a-network-for-corporate-source-code-recon","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/07\/10\/hackers-turn-50-dormant-github-accounts-into-a-network-for-corporate-source-code-recon\/","title":{"rendered":"Hackers Turn 50+ Dormant GitHub Accounts Into a Network for Corporate Source Code Recon"},"content":{"rendered":"<p>    Hackers Turn 50+ Dormant GitHub Accounts Into a Network for Corporate Source Code Recon<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p class=\"wp-block-paragraph\">Research has uncovered coordinated campaigns that use more than dormant <a href=\"https:\/\/cybersecuritynews.com\/megalodon-malware-github-repos\/\" target=\"_blank\" rel=\"noreferrer noopener\">GitHub accounts<\/a> to map corporate organizations, repositories, and developers.<\/p>\n<p class=\"wp-block-paragraph\">The activity relies on GitHub\u2019s API to collect public information. However, some operators have also attempted to access private source code repositories and, in rare cases, succeeded.<\/p>\n<p class=\"wp-block-paragraph\">The campaigns have been active since at least October. Rather than involving a single threat actor, the researchers observed multiple overlapping operations that used automated tools, compromised access tokens, and networks of long-dormant \u201cghost\u201d accounts.<\/p>\n<p class=\"wp-block-paragraph\">Many of the accounts were created two to five years ago. They remained inactive until they suddenly began making API requests across several GitHub organizations.<\/p>\n<p class=\"wp-block-paragraph\">This aging strategy may help attackers appear more legitimate than newly created accounts used for mass scraping.<\/p>\n<h2 id=\"h-hackers-hijack-github-accounts-for-recon\" class=\"wp-block-heading\"><strong>Hackers Hijack GitHub Accounts for Recon<\/strong><\/h2>\n<p class=\"wp-block-paragraph\">The accounts followed recognizable naming patterns, including the amazon-data-* prefix, the *-orb family, and repetitive usernames such as BirdWithDreams, BirdWithPlan, user432023, and user412023.<\/p>\n<p class=\"wp-block-paragraph\">Datadog confirmed that more than such accounts participated in reconnaissance activity, often operating for only one to three weeks before going quiet.<\/p>\n<figure class=\"wp-block-image size-large\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhcUX_gjOtaeM8VbvJEoFB_yhFkqaVTBSuL-boolee6Jvzryrr9uJXXiPuVb5YTr1aDIc6TXi80ZuOn7qFIBTyC6ZY3rOjjcrDkeqm8Fv-od_H_wibiNJUAfCPf_9a6mJ1MkFXYRJn_fEOpI46DgxepBFFbX6GKtkPI1YKhxUmyf1kJeabEnQiOLywLOO0\/s1600\/Screenshot%25202026-07-10%2520122938%2520%25281%2529.webp?ssl=1\" alt=\"Attack flow of coordinated GitHub API enumeration and access token abuse ( source : securitylabs.datadoghq )\"><figcaption class=\"wp-element-caption\">Attack flow of coordinated GitHub API enumeration and access token abuse ( source: securitylabs.datadoghq )<\/figcaption><\/figure>\n<p class=\"wp-block-paragraph\">The attackers primarily queried GitHub\u2019s \/graphql endpoint, which supports bulk requests for organization, user, and repository information.<\/p>\n<p class=\"wp-block-paragraph\">They also used REST API routes to list public repositories, organization memberships, followers, gists, starred projects, and user activity.<\/p>\n<p class=\"wp-block-paragraph\">Because much of this data is public, the requests often return successful HTTP responses. They may appear to be legitimate use of the <a href=\"https:\/\/cybersecuritynews.com\/north-korea-aligned-hackers-abuse-github-repositories\/\" target=\"_blank\" rel=\"noreferrer noopener\">GitHub API.<\/a><\/p>\n<p class=\"wp-block-paragraph\">Attackers can use this information to build a detailed picture of a company\u2019s developers, projects, technology stack, open-source exposure, and potential targets for further compromise.<\/p>\n<p class=\"wp-block-paragraph\">Several campaigns used suspicious user-agent strings, including GitHub-Company-Scraper, GitHub-Scraper-Tool\/1.0, and GitHubAnalytics\/1.5.<\/p>\n<figure class=\"wp-block-image size-large\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEghyphenhyphenayU-re-BtGcaeriGxcc_F1CcZjtQmwkkzLqUKxi44C9bwWcp_o2HIXWh6FkmLz_3jVOBWXH6s3Vb3gJqBQPf0PVJECMA6iawky-71mKRkIiIiw68riVxZyyIRZ1aDDRjaNH_XPofT7-o4Ig9qyhW7NnCmbP2C7w8oUdb0D9vujdo1hr9gnkUDlWIl4\/s1600\/Screenshot%25202026-07-10%2520123010%2520%25281%2529.webp?ssl=1\" alt=\"BirdWithPlan GitHub user ( source : securitylabs.datadoghq )\"><figcaption class=\"wp-element-caption\">BirdWithPlan GitHub user (source: securitylabs.datadoghq )<\/figcaption><\/figure>\n<p class=\"wp-block-paragraph\">Other tools attempted to appear legitimate by using names linked to analytics, dashboards, monitoring, or repository analysis.<\/p>\n<p class=\"wp-block-paragraph\">One campaign used the simple request user agent, which stands out from the more common versioned tool names. Datadog also identified activity involving <a href=\"https:\/\/cybersecuritynews.com\/github-hackers-stolen-oauth\/\" target=\"_blank\" rel=\"noreferrer noopener\">stolen OAuth tokens<\/a> and personal access tokens.<\/p>\n<p class=\"wp-block-paragraph\">Between late December and early January, the credentials of dozens of legitimate GitHub users were compromised and used to access a single organization within minutes.<\/p>\n<p class=\"wp-block-paragraph\">The operators cycled through user agents such as GitHub-Commit-Fetcher\/1.3, GitHub-Commit-Fetcher\/1.4, and GitHub-Event-Fetcher\/2.2.<\/p>\n<p class=\"wp-block-paragraph\">These requests attempted to list repositories, retrieve commit data, and access private repository paths.<\/p>\n<p class=\"wp-block-paragraph\">While many private repository requests failed, <a href=\"https:\/\/securitylabs.datadoghq.com\/articles\/coordinated-github-api-enumeration\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Datadog documented one confirmed incident<\/a> in which a tool identified as repo-dumper successfully executed git clone and API actions against a private repository.<\/p>\n<p class=\"wp-block-paragraph\">The campaign highlights how public GitHub metadata can support corporate reconnaissance before attackers attempt credential abuse or source code theft.<\/p>\n<p class=\"wp-block-paragraph\">Security teams should enable GitHub audit log streaming and establish a baseline of normal API activity in their environments.<\/p>\n<p class=\"wp-block-paragraph\">Defenders should investigate successful API requests, Git clone operations, and ZIP downloads involving private repositories, especially when OAuth tokens or personal access tokens are used.<\/p>\n<p class=\"wp-block-paragraph\">Key signals include unusual user agents, unexpected account activity, suspicious token types, abnormal request volume, and source infrastructure linked to hosting providers such as 3xktech[.]cloud and cherryservers[.]com.<\/p>\n<p class=\"has-text-align-center has-background wp-block-paragraph\" style=\"background:linear-gradient(180deg,rgb(238,238,238) 87%,rgb(169,184,195) 100%)\"><strong>Stop Accepting SLAs Written for 2019 SOCs \u2013 Here\u2019s the 2026 AI SLA <strong>Vendor<\/strong> Checklist<\/strong> \u2013 <strong><a href=\"https:\/\/underdefense.com\/ai-soc-sla-in-2026-mttr-benchmarks-clause-tables-negotiation-checklist\/?utm_source=cybersecuritynews.com&amp;utm_medium=online_media&amp;utm_campaign=csn_linkedin_newsletter_aisoc_sla_july_2026\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Download Free <strong>AI SOC SLA <\/strong>Guide<\/a><\/strong><\/p>\n<p>The post <a href=\"https:\/\/cybersecuritynews.com\/hackers-turn-dormant-github-accounts-for-recon\/\">Hackers Turn 50+ Dormant GitHub Accounts Into a Network for Corporate Source Code Recon<\/a> appeared first on <a href=\"https:\/\/cybersecuritynews.com\/\">Cyber Security News<\/a>.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Abinaya<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/cybersecuritynews.com\/hackers-turn-dormant-github-accounts-for-recon\/\">Go to cyber-security-news<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Hackers Turn 50+ Dormant GitHub Accounts Into a Network for Corporate Source Code Recon Research has uncovered coordinated campaigns that use more than dormant GitHub accounts to map corporate organizations, repositories, and developers. The activity relies on GitHub\u2019s API to collect public information. However, some operators have also attempted to access private source code repositories [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,899],"tags":[130],"class_list":["post-14204","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-github","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/14204"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=14204"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/14204\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=14204"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=14204"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=14204"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}