Dormant GitHub accounts enable stealthy org and repo enumeration via API
Source headline: Dormant GitHub Accounts Help Attackers Blend In While Mapping Corporate Orgs
Intelligence Summary
Datadog Security Labs warns that threat actors are running multiple overlapping campaigns to enumerate GitHub organizations, repositories, and users. The activity uses automated scraping through the GitHub API with user agents that look legitimate or custom. Attackers may rely on long-dormant “ghost” accounts, or they may use compromised OAuth tokens to appear normal. This helps them map corporate GitHub ecosystems and identify targets for later exploitation. Organizations using GitHub should review token exposure, account activity, and API usage anomalies.
Recommended Action
Review affected assets, schedule urgent remediation, and monitor related indicators.