Hackers Exploit Dormant GitHub Accounts for Corporate Reconnaissance

Recent investigations have revealed that cybercriminals are reactivating over 50 dormant GitHub accounts to conduct extensive reconnaissance on corporate organizations, repositories, and developers. These accounts, inactive for years, have suddenly become active, systematically querying GitHub’s API to gather public information. In some instances, attackers have attempted—and occasionally succeeded—in accessing private source code repositories.

These coordinated campaigns, active since at least October, involve multiple overlapping operations utilizing automated tools, compromised access tokens, and networks of long-dormant ‘ghost’ accounts. Many of these accounts were created two to five years ago and remained inactive until they began making API requests across various GitHub organizations. This aging strategy likely helps attackers appear more legitimate compared to newly created accounts used for mass data scraping.

Attackers Hijack GitHub Accounts for Reconnaissance

The reactivated accounts exhibit recognizable naming patterns, including prefixes like ‘amazon-data-*’, the ‘-orb’ family, and repetitive usernames such as ‘BirdWithDreams’, ‘BirdWithPlan’, ‘user432023’, and ‘user412023’. Security researchers have confirmed that more than 50 such accounts have participated in reconnaissance activities, often operating for one to three weeks before going dormant again.

These attackers primarily target GitHub’s /graphql endpoint, which supports bulk requests for organization, user, and repository information. They also utilize REST API routes to list public repositories, organization memberships, followers, gists, starred projects, and user activity. Since much of this data is public, these requests often return successful HTTP responses, making the activity appear as legitimate use of the GitHub API.

By aggregating this information, attackers can construct detailed profiles of a company’s developers, projects, technology stack, open-source exposure, and potential targets for further compromise. Several campaigns have used suspicious user-agent strings, including ‘GitHub-Company-Scraper’, ‘GitHub-Scraper-Tool/1.0’, and ‘GitHubAnalytics/1.5’. Other tools attempt to appear legitimate by adopting names associated with analytics, dashboards, monitoring, or repository analysis.

One campaign utilized the simple request user agent, which stands out from the more common versioned tool names. Security researchers also identified activity involving stolen OAuth tokens and personal access tokens. Between late December and early January, the credentials of dozens of legitimate GitHub users were compromised and used to access a single organization within minutes. The operators cycled through user agents such as ‘GitHub-Commit-Fetcher/1.3’, ‘GitHub-Commit-Fetcher/1.4’, and ‘GitHub-Event-Fetcher/2.2’. These requests attempted to list repositories, retrieve commit data, and access private repository paths. While many private repository requests failed, there was at least one confirmed incident where a tool identified as ‘recon’ successfully accessed sensitive information.

This development underscores the evolving tactics of cybercriminals who exploit trusted platforms like GitHub to gather intelligence on corporate environments. Organizations must remain vigilant, regularly monitor for unusual account activities, and implement robust security measures to protect their repositories and developer accounts from such sophisticated reconnaissance efforts.