Datadog Warns of Coordinated GitHub API Enumeration Campaigns Targeting Organizations
- Datadog GitHub API enumeration campaigns: Coordinated attackers mapped GitHub organizations using ghost accounts, automated tools, and compromised access tokens.
- Private repository access: Researchers observed limited cases where stolen tokens enabled the successful cloning of private GitHub repositories.
- Security guidance: Datadog urges organizations to monitor audit logs, suspicious user agents, and unusual API activity.
Datadog Security Research has uncovered multiple coordinated campaigns abusing the GitHub API to systematically map organizations, repositories, and user accounts. While much of the activity focused on collecting publicly available information, researchers also observed limited cases where attackers gained access to private repositories after abusing compromised GitHub access tokens.
The findings were published by Datadog Security Research as part of an official report detailing activity observed over several months.
Automated GitHub API Requests Used for Large-Scale Reconnaissance
According to Datadog, the activity involves several overlapping campaigns rather than a single threat actor. Attackers rely on automated tools, dormant "ghost" GitHub accounts, and stolen authentication tokens to gather information about corporate GitHub organizations.
Researchers have tracked more than 50 ghost accounts since monitoring began in October 2025. These accounts were created years earlier, remained inactive for long periods, and later became active for short bursts lasting one to three weeks. Using older accounts makes the activity appear more legitimate than newly created profiles.
The campaigns primarily queried GitHub's public API endpoints, especially the GraphQL interface, which allows large amounts of publicly available information about organizations, repositories, contributors, and user relationships to be collected efficiently.
Because these requests target public data and usually return successful responses, they closely resemble normal API traffic and often avoid triggering authentication alerts.
Datadog says GitHub audit logs still record useful information such as the GitHub account making requests and the type of access token being used, although geolocation data is unavailable for requests involving external resources.
Stolen Tokens Enabled Attempts to Access Private Repositories
Beyond public data collection, researchers identified campaigns using compromised GitHub OAuth tokens and Personal Access Tokens (PATs) belonging to legitimate users.
Between late December 2025 and early January 2026, Datadog tracked a campaign that progressed through several custom user agents, including GitHub-Commit-Fetcher/1.3, GitHub-Commit-Fetcher/1.4, and GitHub-Event-Fetcher/2.2. The infrastructure supporting this activity was hosted by 3xK Tech, a provider that Datadog says has previously appeared in abuse reports.
These compromised tokens were used to enumerate repositories, retrieve commit information, and probe private repository paths. Although many attempts failed, researchers observed one confirmed incident in which a tool identified as repo-dumper successfully cloned data from a private repository. GitHub audit logs recorded both git.clone and api.request events associated with the unauthorized access.
Datadog notes that the same GitHub accounts involved in the successful activity had previously appeared in unsuccessful attempts against the organization.
Datadog Recommends Monitoring GitHub Audit Logs
The research highlights that organizations should pay close attention to successful access involving private repositories rather than focusing only on failed authentication attempts.
Datadog recommends monitoring GitHub audit logs for unusual user agents, unexpected OAuth or Personal Access Token activity, and actions involving private repositories. Suspicious user agents often imitate legitimate software names while using generic version numbers such as "/1.0" or "/1.1".
The company also advises organizations to establish a baseline of normal GitHub activity, enable GitHub audit log streaming, and proactively hunt for unusual API requests that differ from expected behavior.
For users, the report serves as a reminder that attackers do not always rely on anonymous networks to conduct reconnaissance. By abusing legitimate GitHub accounts, compromised access tokens, and public API endpoints, malicious activity can closely resemble normal developer operations, making detection significantly more challenging.
Datadog's findings are based on its own Security Research team's investigation and include indicators of compromise, suspicious user agents, and detection guidance for defenders. Organizations using GitHub are encouraged to review their audit logs and strengthen monitoring for unusual API activity.







