Datadog Security Labs warns of overlapping campaigns using dormant GitHub 'ghost' accounts and compromised tokens to map corporate organizations, repos, and users via the GitHub API.
Datadog Security Labs recently dropped a warning that's turning heads in the cybersecurity world. They've spotted several overlapping campaigns where attackers are quietly mapping out corporate GitHub organizations, repositories, and user accounts using the GitHub API. And the kicker? These attackers are hiding in plain sight with 'ghost' accounts that have been dormant for years.
This isn't your run-of-the-mill hacking spree. It's a calculated, slow-burn operation that feels more like a reconnaissance mission than a smash-and-grab. The goal here isn't just to steal code; it's to build a detailed map of who's who and what's what inside a company's development ecosystem. Think of it as casing the joint before the real heist.
### How the Attackers Operate
So, how are they pulling this off? It's all about blending in. These operators use automated scraping tools with user agents that sound totally legit—custom strings that mimic real developers or even legitimate services. They're not triggering alarms because they look like normal traffic.
But here's where it gets clever: they rely on GitHub accounts that are years old, often created and then left idle. These 'ghost' accounts have no suspicious activity history, making them perfect for flying under the radar. In some cases, they're using compromised OAuth tokens or personal access tokens that were never revoked. It's a classic case of exploiting trust and neglect.
- Dormant accounts: Years old, no recent activity, no red flags.
- Legitimate user agents: Custom strings that mimic real tools or services.
- Compromised tokens: OAuth or personal tokens that should have been rotated.
### Why This Matters for Your Security Posture
If you're responsible for a corporate GitHub organization, this should be a wake-up call. The attackers aren't just grabbing public data; they're enumerating private repos, user permissions, and internal structures. Once they have that map, they can pivot to more targeted attacks—like spear-phishing a developer with access to sensitive code or exploiting a misconfigured repo.
Think about it: a single compromised token could give an attacker a bird's-eye view of your entire development pipeline. And because these accounts are so old, they often slip through automated security checks. Your typical monitoring tools might flag a new account making API calls, but a five-year-old account? That's just normal activity.
### Steps to Protect Your Organization
Here's what you can do to shut this down:
**Audit your dormant accounts.** Go through every GitHub account tied to your org. If an account hasn't been used in over a year, disable it or at least review its permissions. Attackers love these because they're invisible.
**Rotate tokens regularly.** OAuth and personal access tokens should have expiration dates. If you're still using tokens that never expire, you're leaving the door wide open. Set a policy to rotate them every 90 days.
**Monitor API usage patterns.** Look for unusual spikes in API calls from a single account, especially if that account has been idle. A sudden burst of enumeration activity is a huge red flag.
**Enable two-factor authentication.** This one's a no-brainer. Even if an attacker gets a password, 2FA can stop them cold. Make it mandatory for all users with access to private repos.
**Review user agents in logs.** If you see custom user agents that don't match known tools, dig deeper. Attackers often craft these to look legitimate, but they can still be caught with the right analysis.
### The Bigger Picture
This isn't just about GitHub. It's a reminder that attackers are getting more patient and more sophisticated. They're not breaking down the door; they're picking the lock with a key they found in the garden. Dormant accounts, old tokens, and neglected permissions are the low-hanging fruit that every company needs to address.
Datadog's warning is a gift, really. It gives you a chance to patch these holes before someone exploits them. So take a hard look at your GitHub environment today. The ghost accounts are out there, but they don't have to be a threat.
Stay sharp, and remember: in cybersecurity, the quiet ones are often the most dangerous.