Search This Blog

Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Showing posts with label Datadog Security Labs. Show all posts

Datadog Uncovers Coordinated GitHub API Campaigns Targeting Organizations for Large-Scale Reconnaissance

 

Datadog Security Labs has identified multiple coordinated campaigns that are systematically using the GitHub API to enumerate corporate GitHub organizations, repositories, and user accounts. The activity highlights how attackers are leveraging both legitimate and compromised resources to gather intelligence on organizations while blending into normal API traffic.

"Operators rely on automated scraping tooling with custom or legitimate-sounding user agents, leveraging GitHub 'ghost' accounts that are often years old, or compromised OAuth tokens and personal access tokens (PATs) from legitimate users," Julie Agnes Sparks, senior security engineer at Datadog, said.

According to the security researchers, the majority of the observed activity has focused on collecting publicly available information. However, in a limited number of incidents, the attackers progressed beyond reconnaissance and successfully cloned private repositories.

The campaigns rely on a combination of automated scanning tools, more than 50 dormant GitHub accounts, and several legitimate accounts whose personal access tokens (PATs) had either been unintentionally exposed or compromised. These resources are used to perform extensive enumeration across multiple GitHub organizations.

A notable aspect of the operation is the use of so-called "ghost" accounts that were created between two and five years ago and deliberately left inactive before being activated for API-based reconnaissance. By using aged accounts instead of newly created ones, the attackers are able to make their activity appear more legitimate and reduce the likelihood of triggering security alerts.

Since a significant portion of GitHub's API can be accessed without authentication, the attackers are able to retrieve large amounts of publicly available data while remaining indistinguishable from routine API traffic. Their reconnaissance includes listing public repositories within organizations, mapping user followers and following relationships, identifying gists, starred repositories, and organization memberships, as well as executing GraphQL queries against public objects.

The collected information enables threat actors to build detailed profiles of an organization's GitHub environment, including its public repositories, contributors, developer relationships, and project activity. Such intelligence can be used to support future targeted attacks.

Datadog also confirmed that in a small number of cases, attackers escalated their activity by cloning a private repository belonging to a targeted organization, indicating that the campaigns can extend beyond information gathering.

"Individually, most of these requests are unremarkable. They hit public endpoints, authenticate cleanly or not at all, and return successful responses," Datadog said. "The concern lies in the aggregate: a group of accounts moving in sync across companies' GitHub organizations with versioned custom tooling iterating over weeks, and in the worst case, actors that stopped enumerating and started cloning."