Jessica Entwistle
July 10 2026
Datadog Security Labs has warned of several overlapping campaigns that are systematically enumerating corporate GitHub organisations, repositories and user accounts through the GitHub API. The Hacker News reports that operators are relying on automated scraping tooling with custom or legitimate-sounding user agents, leveraging GitHub 'ghost' accounts that are often years old, or compromised OAuth tokens and personal access tokens. The campaigns are designed to map corporate development environments, identify potential targets and gather intelligence on code repositories, user permissions and organisational structure. The use of dormant accounts allows attackers to blend in with legitimate activity and avoid detection, as these accounts often have established histories and appear less suspicious than newly created profiles.
This matters because GitHub is a central part of how many organisations manage code, collaborate on development projects and maintain infrastructure-as-code configurations. Reconnaissance activity of this kind is typically a precursor to more targeted attacks, such as supply chain compromise, credential theft or the identification of vulnerable repositories. The use of dormant accounts is particularly concerning because it exploits the trust and legitimacy that comes with established profiles. For organisations that rely on GitHub for development, this is a reminder that access controls, API usage monitoring and account lifecycle management are not just administrative tasks but active security controls that need regular review. The fact that attackers are using legitimate-sounding user agents and established accounts suggests they are deliberately trying to avoid detection by blending in with normal activity, which makes traditional security monitoring less effective unless organisations have clear visibility into who should have access and what normal usage patterns look like.
For many organisations, this is a prompt to review GitHub access controls, API usage and account lifecycle management. Consider whether you have visibility into which accounts have access to your repositories, whether dormant or inactive accounts are being regularly reviewed and deactivated, and whether API usage is being monitored for unusual patterns. This is also a reminder to ensure that OAuth tokens and personal access tokens are managed with the same rigour as other credentials, including regular rotation, scope limitation and audit logging. Organisations should assess whether they have a clear process for offboarding users and revoking access when employees leave or change roles, and whether there are controls in place to detect and respond to unusual API activity or access patterns. This is also an opportunity to review whether your GitHub organisation settings, repository permissions and branch protection rules are aligned with the principle of least privilege, and whether you have the visibility and tooling in place to detect reconnaissance activity before it escalates into a more targeted attack.
Source: The Hacker News