Type
Campaign
Actors
Pub. date
July 8, 2026
Initial access
Exposed secret
Impact
Data exfiltration
Observed techniques
Targeted technologies
Status
Finalized
Last edited
Jul 15, 2026 12:48 PM
Datadog Security Labs identified multiple coordinated campaigns abusing the GitHub API to systematically enumerate organizations, repositories, users, and software development activity at scale. The activity primarily relied on legitimate GitHub functionality, including dormant ("ghost") GitHub accounts and valid Personal Access Tokens (PATs) or OAuth tokens, allowing attackers to blend into normal developer traffic. While much of the observed activity focused on reconnaissance of public repositories, Datadog also identified cases where compromised credentials enabled unauthorized access to private repositories, highlighting GitHub as an increasingly attractive target for intelligence gathering and supply chain attacks.