Attackers Use Dormant GitHub Accounts to Conduct Stealthy Corporate Reconnaissance

Researchers at Datadog have identified multiple campaigns using years-old dormant GitHub accounts, compromised personal access tokens (PATs), and OAuth credentials to systematically map corporate GitHub organizations. The attackers leveraged the GitHub API to enumerate public repositories, organization members, user relationships, and project activity, allowing them to build detailed profiles of targeted organizations while blending into normal API traffic. In a small number of cases, the activity progressed beyond reconnaissance, with attackers successfully cloning private repositories using compromised credentials. The findings highlight how seemingly legitimate GitHub accounts and exposed access tokens can enable long-term, low-profile reconnaissance that may precede more targeted attacks.

Reference: thehackernews.com