Dormant GitHub Accounts Exploited in Corporate Reconnaissance Campaigns

Recent investigations have uncovered coordinated efforts by malicious actors to systematically map corporate GitHub organizations, repositories, and user accounts. These campaigns utilize the GitHub API to gather extensive information, potentially laying the groundwork for future attacks.

Exploitation of Dormant Accounts

Attackers are leveraging a combination of automated tools and compromised credentials to conduct their reconnaissance. Notably, they employ “ghost” accounts—GitHub accounts created two to five years ago and left inactive until now. By activating these dormant accounts, attackers can issue API requests that blend seamlessly with legitimate traffic, thereby avoiding detection.

In addition to these dormant accounts, the campaigns utilize compromised OAuth tokens and personal access tokens (PATs) from legitimate users. This multifaceted approach enables attackers to access a broad range of data without raising immediate red flags.

Scope of the Reconnaissance

The primary focus of these campaigns is the enumeration of public data. Attackers execute various API queries, including:

  • Listing an organization’s public repositories
  • Mapping user followers and following lists
  • Enumerating gists, starred repositories, and organizational memberships
  • Running GraphQL queries against public objects

While much of this information is publicly accessible, the systematic aggregation and analysis of such data can provide attackers with a comprehensive understanding of an organization’s GitHub activity. This intelligence can be instrumental in identifying potential vulnerabilities and planning targeted attacks.

Escalation to Private Data Access

In certain instances, the reconnaissance has escalated beyond public data collection. There have been reports of attackers successfully cloning private repositories from targeted organizations. This progression from passive data gathering to active intrusion underscores the evolving nature of these threats.

Individually, the API requests made during these campaigns may appear innocuous. However, when viewed collectively, the pattern of coordinated activity across multiple organizations reveals a deliberate and strategic effort to map and potentially exploit corporate GitHub environments.

Organizations must remain vigilant against such sophisticated reconnaissance campaigns. Regular monitoring of GitHub activity, prompt deactivation of unused accounts, and stringent access controls are essential measures to mitigate the risks associated with these emerging threats.