Criminals Are Using GitHub's Own Public Tools to Map Your Company Before They Strike
Researchers at Datadog tracked months of quiet, automated snooping across GitHub that blends perfectly into normal traffic, and most organisations never notice it happening.

Key points
- Datadog Security Research identified more than 50 dormant "ghost" accounts used in coordinated reconnaissance campaigns across GitHub over several months in 2024.
- Attackers used fake automated tools with plausible names like GitHub-Company-Scraper and GitHubAnalytics/1.5 to disguise their activity as routine data analysis.
- GitHub's public API, meaning the programming interface that lets software talk to GitHub, can be queried by anyone without logging in, which is by design but also what makes this abuse possible.
- In one recorded incident, dozens of separately compromised legitimate GitHub accounts all queried the same organisation within a few minutes of each other.
- Defenders can detect this activity by watching audit logs for unusual automated tool names, suspicious access patterns, and accounts probing private repositories.
GitHub sits at the centre of how modern software gets built. Millions of companies store their code there, and buried inside that code are often passwords, secret keys, and credentials that unlock cloud systems, databases, and internal tools. That makes it one of the most attractive targets on the internet for criminals looking to break into organisations before those organisations even know they are being watched.
Researchers at Datadog Security Research published findings this week describing what they call a sustained pattern of abuse targeting GitHub's API. An API, short for application programming interface, is a set of channels that let one piece of software talk to another. GitHub's API is intentionally open: a large portion of it requires no login at all.
How are criminals using GitHub against companies?
They are building detailed maps of organisations without ever needing to log in. By sending quiet, automated requests to GitHub's public API, criminals can learn which employees belong to an organisation, which code repositories exist, who follows whom, and which projects are active. None of those individual requests look suspicious. The danger, Datadog senior security engineer Julie Agnes Sparks wrote in her research post, lies in the pattern across weeks and dozens of companies at once.
The campaigns used so-called ghost accounts: real GitHub profiles created two to five years ago and left idle, so they look like ordinary developers. Researchers found more than 50 of these accounts, clustered in naming patterns like user432023 or kobalt followed by a number. Each campaign typically ran for one to three weeks, then went quiet.
Some attacks went further, using credentials that real developers had accidentally posted inside their own code, such as OAuth tokens or personal access tokens (PATs), which are passwords that grant automated tools access to a GitHub account. With those, criminals could reach private repositories and hunt for proprietary code or security weaknesses.
The goal, as Datadog's research makes clear and as David Shipley of Beauceron Security confirmed, is almost always to find secrets: API keys and cloud credentials that unlock far bigger targets. With AI coding tools now producing code faster than ever, Shipley noted, the volume of accidentally stored secrets is probably growing.
What ordinary employees and developers should do: If you work with code, never paste passwords, keys, or tokens directly into a file stored on GitHub. Use a dedicated secret-management tool instead. Enable two-factor authentication (a second login check beyond just a password) on your GitHub account.
For security teams, Sparks recommended enabling GitHub audit log streaming, reviewing any unusual automated tool names appearing in those logs, and building detections tuned to what normal activity looks like inside your specific organisation. Periodic reviews of which accounts still need access, and removing ones that do not, close off the dormant-account route entirely.
This story was first reported by CSO Online.



