Old, Silent GitHub Accounts Are Being Used to Quietly Map Companies
Datadog Security Labs says several overlapping scraping campaigns are cataloguing corporate GitHub organisations using dormant 'ghost' accounts and stolen tokens.

Key points
- Datadog Security Labs reported in November 2025 that several overlapping campaigns are systematically scraping corporate GitHub organisations, repositories, and user accounts.
- The operators use automated tools that pretend to be normal web traffic, running through GitHub 'ghost' accounts that are often years old.
- Some campaigns also run on stolen OAuth tokens and personal access tokens taken from real developers.
- The activity is reconnaissance, meaning the attackers are mapping targets rather than breaking in, at least for now.
- Companies are being advised to audit which accounts and apps can read their GitHub organisation data.
Someone is quietly taking inventory of corporate code.
Researchers at Datadog Security Labs say they have spotted several overlapping campaigns crawling GitHub, the code-hosting site used by most of the world's software companies. The campaigns are pulling lists of organisations, repositories, and user accounts through GitHub's API, which is the machine-to-machine interface that lets software query the site automatically.
The finding was first reported by The Hacker News.
This is reconnaissance, not a break-in. The attackers are building a map: who works where, which company owns which project, which repositories exist. That kind of index is gold for later phishing, where criminals send fake emails to trick staff into handing over passwords, and for targeted attacks on the software supply chain.
Who is doing this?
Datadog has not named a single group, and that is the point. Its researchers describe "several overlapping campaigns," suggesting more than one operator is running similar playbooks at the same time. Some look like criminal crews doing pre-attack homework. Others could be data brokers or aggressive recruiters. The tooling and tradecraft overlap enough that telling them apart is hard.
What they share is a way of hiding in plain sight.
How are they staying hidden?
Three tricks, mainly.
First, the scrapers pretend to be normal software. They set what is called a user agent, the little label a program sends to identify itself, to something bland and legitimate-sounding. Nothing screams "scraper."
Second, they log in as ghosts. These are GitHub accounts that were created years ago, then left dormant. They have no code, no followers, no obvious purpose. But they are old, and age makes an account look real to automated defences. Some were probably made in bulk long before this campaign started, waiting for a use.
Third, and more worrying, some campaigns are running on stolen credentials. Datadog says the operators are using compromised OAuth tokens and personal access tokens. Those are digital keys that developers generate to let apps or scripts act on their behalf. If one leaks, whoever holds it can read whatever the original developer could read, including private company repositories.
Should ordinary companies worry?
Yes, but calmly.
If your organisation uses GitHub, someone may already have a list of your repositories and staff usernames. That is not a breach on its own. It becomes one when the list is used to send convincing phishing emails to your developers, or to hunt for a leaked password that unlocks a real repository.
The practical response is unglamorous. Review which OAuth apps have access to your GitHub organisation. Rotate personal access tokens, especially long-lived ones. Turn on required two-factor authentication across the org. Watch for API traffic from unfamiliar accounts, particularly ones with no meaningful history.
For individual developers, the advice is simpler: treat any token you generate like a house key. Give it the shortest life and the fewest permissions you can. If you stop needing it, delete it.
The scraping itself is quiet work. The noise comes later, when the map gets used.



