🟡 Medium | Source: The Hacker News
Attackers are systematically mapping corporate GitHub organisations, repositories, and user accounts using the GitHub API, according to Datadog Security Labs. They are using automated scraping tools disguised with legitimate-sounding user agents, alongside dormant ‘ghost’ accounts that are often years old, or compromised OAuth tokens. This intelligence-gathering activity likely precedes targeted attacks such as supply chain compromises, credential theft, or targeted phishing.
Security Architect’s Take: Audit your GitHub organisation’s visibility settings and restrict public exposure of member lists, repositories, and team structures where possible. Review OAuth token grants and personal access tokens regularly, enforce token expiry policies, and enable GitHub’s audit log streaming to a SIEM to detect unusual API enumeration patterns.
Original advisory: Dormant GitHub Accounts Help Attackers Blend In While Mapping Corporate Orgs