Dormant GitHub Accounts Quietly Mapped Thousands of Organisations for Months

Criminals used more than 50 sleeping accounts to probe GitHub's public data systems in what security researchers call a sustained reconnaissance campaign.

ThreatVectr Newsdesk· 3 min read
Photoreal news-editorial style, 16:9 framing, full-frame edge-to-edge composition
Share

Key points

  • Over 50 dormant GitHub accounts, some created as long as five years ago, sent waves of automated scanning traffic targeting organisations and their members from at least October 2025.
  • The campaign used GitHub's public application programming interface (API), the system that lets software talk to GitHub's servers, to map companies, their employees, and the code projects those employees work on.
  • In some cases the criminals went further, using accidentally exposed login tokens from real GitHub users to access private, non-public repositories.
  • Datadog, the cloud-security company that spotted the activity, confirmed that data was successfully stolen from some targeted organisations.
  • The fake accounts disguised their traffic by naming themselves after everyday analytics or dashboard tools to blend in with normal activity.

A network of throwaway GitHub accounts, left untouched for years before being activated, spent months quietly mapping thousands of companies and their software projects, according to research published by cloud-security firm Datadog.

GitHub is the world's largest platform for storing and sharing software code. Companies use it to host internal projects, coordinate developers, and publish open-source tools.

The accounts ran automated scanners, software that fires off rapid, repetitive requests without any human clicking, against GitHub's API to pull back lists of organisations, their members, the code repositories (essentially folders of software files) they maintain, and the other accounts they follow. None of this required a password, because GitHub makes much of that information publicly available.

Why would criminals bother mapping information that is already public?

Public data is the starting point. By stitching together the names of employees, the projects they contribute to, and the tools a company appears to use, criminals can build a detailed picture of a target before attempting anything more serious. It is the digital equivalent of watching a building for weeks before testing the doors.

Datadog says the accounts worked in bursts lasting one to three weeks and used fake names designed to sound like legitimate software tools, avoiding the kind of suspicious labels that security teams watch for.

In at least one case the operation moved beyond public data. The criminals found login tokens, essentially digital keys, that real GitHub users had accidentally published inside their own code. Using those tokens, the attackers accessed private repositories over a window of just a few minutes. In a small number of cases, Datadog confirmed, files were actually stolen.

Since at least October 2025, more than 50 accounts have taken part across multiple overlapping waves of activity, first reported by SecurityWeek.

For ordinary developers and businesses using GitHub, the immediate practical steps are straightforward. Check that no passwords, API keys, or access tokens have been accidentally included in any code you have uploaded. Enable GitHub's audit log streaming feature, which records a running history of who accessed what and when. Review the list of applications and accounts that have permission to touch your repositories, and revoke anything unfamiliar.

Datadog also recommends building a baseline picture of what normal API traffic looks like in your environment, so that unusual bursts stand out quickly.

© 2026 Threat Vectr