The Containment Era is here. →Explore

Executive Summary

In July 2026, Datadog Security Labs identified multiple coordinated campaigns systematically enumerating corporate GitHub organizations, repositories, and user accounts via the GitHub API. Attackers utilized automated scraping tools with custom or legitimate-sounding user agents, leveraging dormant 'ghost' accounts—created two to five years prior and left inactive—as well as compromised OAuth tokens and personal access tokens (PATs) from legitimate users. While much of the activity targeted public data, some instances involved cloning private repositories, indicating a significant escalation in threat actor capabilities.

This incident underscores the evolving tactics of threat actors who exploit dormant accounts and compromised credentials to conduct reconnaissance and access sensitive information. Organizations must enhance their monitoring of API activities and implement robust access controls to mitigate such risks.

Why This Matters Now

The strategic use of dormant GitHub accounts and compromised tokens for enumeration and potential data exfiltration highlights the need for organizations to proactively monitor and secure their development environments against sophisticated supply chain attacks.

Attack Path Analysis

MITRE ATT&CK® Techniques

Potential Compliance Exposure

Sector Implications

Sources

Frequently Asked Questions

'Ghost' accounts refer to GitHub accounts created years ago and left inactive, which attackers later activate to conduct malicious activities without raising immediate suspicion.

Cloud Native Security Fabric Mitigations and ControlsCNSF

Aviatrix Zero Trust CNSF is pertinent to this incident as it would likely limit attackers' ability to exploit GitHub accounts, escalate privileges, and exfiltrate sensitive data by enforcing strict segmentation and identity-aware policies.

Initial Compromise

Control: Cloud Native Security Fabric (CNSF)

Mitigation: The attacker's ability to enumerate corporate organizations and repositories would likely be constrained, reducing the scope of initial reconnaissance.

Privilege Escalation

Control: Zero Trust Segmentation

Mitigation: The attacker's ability to escalate privileges within the GitHub environment would likely be limited, reducing the potential for unauthorized access.

Lateral Movement

Control: East-West Traffic Security

Mitigation: The attacker's ability to move laterally to other repositories or services would likely be constrained, reducing the risk of accessing sensitive data.

Command & Control

Control: Multicloud Visibility & Control

Mitigation: The attacker's ability to establish and maintain command and control channels would likely be constrained, reducing persistent access to compromised assets.

Exfiltration

Control: Egress Security & Policy Enforcement

Mitigation: The attacker's ability to exfiltrate sensitive data to external locations would likely be constrained, reducing the risk of data breaches.

Impact (Mitigations)

The potential impact of data breaches and operational disruptions would likely be reduced, limiting the overall damage to the organization.

Impact at a Glance

Affected Business Functions

  • Software Development
  • Version Control
  • Continuous Integration/Continuous Deployment (CI/CD)
Operational Disruption

Estimated downtime: N/A

Financial Impact

Estimated loss: N/A

Data Exposure

Potential exposure of private repositories and associated intellectual property.

Recommended Actions

  • Implement Zero Trust Segmentation to enforce least privilege access controls, limiting lateral movement within repositories.
  • Enhance Threat Detection & Anomaly Response capabilities to identify and respond to unusual API activity indicative of enumeration or data exfiltration.
  • Utilize Multicloud Visibility & Control to monitor and manage access across cloud services, ensuring comprehensive oversight.
  • Apply Egress Security & Policy Enforcement to restrict unauthorized data transfers from repositories to external destinations.
  • Regularly audit dormant accounts and enforce strict access policies to prevent their misuse in enumeration attacks.

Secure the Paths Between Cloud Workloads

A cloud-native security fabric that enforces Zero Trust across workload communication—reducing attack paths, compliance risk, and operational complexity.

Cta pattren Image