THREAT actors are exploiting the GitHub API to systematically gather information about organizations, repositories, and user accounts. This activity has been ongoing for several months and involves the use of ghost accounts created years ago. Automated scanners and leaked credentials are being used to blend malicious requests with normal traffic, allowing attackers to map organizations and access various public data without authentication.
Although this reconnaissance rarely results in direct access, it poses significant risks and occasionally leads to data exfiltration from private repositories. Cybersecurity experts recommend monitoring user agent behavior, enabling GitHub audit log streaming, and proactively hunting for threats to detect and prevent such activities.