Attackers Systematically Reconnaissance Corporate GitHub Organisations Using Dormant Accounts and Stolen Tokens
Datadog Security Labs has identified multiple coordinated campaigns conducting API-driven enumeration of corporate GitHub organisations, repositories, and user accounts. Attackers operate through years-old dormant accounts and compromised OAuth tokens, enabling reconnaissance at scale while evading detection.
Affected
Multiple threat actors are conducting systematic reconnaissance of corporate GitHub infrastructure through the GitHub API. Rather than creating fresh accounts that might trigger automated detection, attackers are leveraging old dormant accounts (sometimes dormant for years) or compromised OAuth tokens to perform enumeration. This technique reduces the likelihood of rapid identification since the reconnaissance activity appears to originate from legitimate, historical accounts rather than newly-created suspicious ones.
The technical approach involves automated scraping tools equipped with custom or legitimate-appearing user agents to query GitHub's API endpoints. Operators can enumerate organisation membership, repository structures, access control configurations, and user account metadata at scale. This reconnaissance phase is typically a precursor to further attacks such as credential stuffing, supply chain compromise, or targeted social engineering against key organisation members identified through the API results.
This campaign reveals a gap in GitHub's security posture: the platform appears to lack effective rate-limiting or anomaly detection on API queries originating from old accounts with unusual access patterns. Compromised OAuth tokens represent a persistent threat because revocation requires organisational awareness of the compromise and proactive token management practices that many teams do not implement consistently.
Organisations should assume their GitHub organisation structure and user mappings are now visible to a broad set of threat actors. Defenders should implement API query monitoring, restrict organisation visibility settings to members-only where feasible, audit token provisioning and expiration policies, and disable access for dormant organisation members or service accounts. Git logs and push activity should be reviewed for signs of unauthorised access.
The broader implication is that reconnaissance of code repositories and development infrastructure is becoming increasingly automated and tooled. Traditional reliance on GitHub's default privacy model is insufficient for high-value targets. This activity likely precedes supply chain attacks, source code theft, or targeted compromise of developer accounts with access to production systems.
Sources