Datadog: 50+ dormant GitHub accounts mapping org charts
Datadog Security Labs documents 50+ dormant GitHub accounts running months-long enumeration of corporate orgs, repos, and — in some cases — private code.
Datadog Security Labs published research on Wednesday that puts a number on something that has been sitting in the background of every GitHub-adjacent conversation for the last two years. Since October 2025, Julie Agnes Sparks and the Datadog team have been watching more than fifty long-dormant GitHub accounts wake up in coordinated bursts, walk their way through the public surface of specific corporate GitHub organizations, and — in a smaller set of cases — pivot into private repositories using tokens harvested from legitimate developer accounts. The Hacker News picked up the writeup on Thursday. Neither piece names the victim organizations, and neither should be read as reporting a single incident. What Datadog is describing is a background pattern with a shape.
The mechanical picture is worth reading in Datadog’s own words before drawing anything from it. “More than 50 ghost accounts across multiple user agents participated in this enumeration since we began monitoring in October 2025,” Sparks writes; the ghost accounts are two to five years old, seeded and left inactive on purpose so that by the time they matter they look no different from any other developer who signed up during the pandemic and drifted away. The custom tooling behind them is versioned — GitHub-Commit-Fetcher/1.3, GitHub-Scraper-Tool/1.0, GitHubAnalytics/1.5, repo-dumper — and iterates over weeks in a way that suggests engineering rather than a one-off script. The API endpoints exercised are exactly the ones anyone doing legitimate developer-relations work would hit: the GraphQL endpoint most of all, plus the organization-repositories list, the user-repositories list, and the follower graph. Nothing here is unauthenticated abuse of a bug; it is authenticated abuse of published API contracts.
The second half of the story is the one worth pausing on. In late December 2025 and early January 2026, Datadog saw “dozens of distinct legitimate GitHub user accounts” hitting a single target organization inside a window of minutes, going after private repository paths through OAuth and personal access tokens that were flagged as programmatic_access_type in the audit trail. One case combined repo-dumper with a mix of git.clone and api.request events into private paths from accounts that were already known to be compromised. That is the payoff for the earlier stages: months of public enumeration to map who owns what, and then a much shorter window in which the stolen credentials get turned into actual cloned repos before somebody notices.
Analysis: reconnaissance was always the boring part
Analysis, not incident reporting. No specific victim has been named, and Datadog’s post is a pattern writeup rather than a breach disclosure. What follows is a reading of the pattern.
For the audience that runs a corporate GitHub org, the question this research forces is whether the reconnaissance surface — the set of things an attacker can learn about your organization without any credentials at all — is being treated as a surface at all, or whether it is still being treated as marketing. The follower graph, the public repository list, the org membership disclosure, the gists, the starred repos — these were designed to make open-source participation legible. They also make an org’s engineering headcount, its team structure, and its likely internal repo naming conventions legible, and they do so to anyone with a browser. That was true a decade ago too, and it was true when the same enumeration problem played out on LinkedIn and on whois records before that. The novelty is not the enumeration. The novelty is the camouflage.
The dormant account is the interesting piece. It is a small, cheap, patient investment: a burner identity sat idle for years so that on the day it needs to make its first API call it registers as a real developer rather than an obvious scraper. The same trick has surfaced across every platform that ever tried to rate-limit by account age — social media, ad networks, marketplaces — and each generation of platform learned the same lesson late. The lesson is that account age is a signal of nothing on its own; it is only a signal of care taken by whoever is running the operation. Fifty ghost accounts is not the ceiling here. It is what one research team happened to be able to correlate.
Datadog’s detection guidance points at the seam that is actually load-bearing. Watching for programmatic_access_type OAuth or PAT tokens touching non-public repository paths through evt.action:api.request or git.clone is the specific check that survives even when the surrounding enumeration is invisible; the enumeration is loud only in aggregate, but the private-repo pivot is loud in the individual token. That is the point at which the org actually loses something, and it is the point at which a defender still has a chance to catch the operation before the clone finishes.
The broader piece to sit with is that this is the same intelligence-collection cycle that has been running against every platform that publishes structured data about its users, run by whoever has the patience to run it. The pattern is old. What has changed is the price of patience — the ghost account is cheap enough now that the barrier to running an enumeration campaign is engineering time, not infrastructure. That trade is not going to reverse. The same mistake, different decade, wearing a slightly better costume.
Related coverage
- GitLost: Noma Security’s public-issue prompt injection leaking private GitHub repos, 2026-07-08
- GitHub verified-commit hash malleability, Ginesin research, 2026-07-08
- npm 12 disables install scripts by default, GATs deprecated, 2026-07-09
- ChocoPoc RAT and fake-PoC repos on GitHub and PyPI, YesWeHack research, 2026-07-03
Sources
Found this useful? Share it.
