Updated
Updated · InfoWorld · Jul 8
Threat Actors Abuse GitHub APIs With 50+ Ghost Accounts for Enterprise Reconnaissance
Updated
Updated · InfoWorld · Jul 8

Threat Actors Abuse GitHub APIs With 50+ Ghost Accounts for Enterprise Reconnaissance

3 articles · Updated · InfoWorld · Jul 8

Summary

  • Datadog tracked months of GitHub API abuse in which attackers mapped enterprises, members and repositories, then in some cases moved to cloning private code or probing commit paths with compromised accounts.
  • More than 50 dormant “ghost” accounts—often two to five years old—used custom scraper tools and GitHub’s /graphql API to blend bulk reconnaissance into normal-looking traffic, usually in one- to three-week bursts.
  • GitHub’s public-by-design API surface and limited geolocation data on external-resource access make attribution difficult, while leaked OAuth tokens, personal access tokens and exposed endpoints give some campaigns legitimate account access.
  • Researchers said defenders should stream audit logs, baseline user agents, hunt unusual ASN, token-type and actor patterns, and tighten basics such as MFA, access reviews and plaintext-secret scanning.

Insights

With attackers mimicking normal traffic, how can security teams reliably distinguish malicious API reconnaissance from legitimate developer activity?
Beyond rotating credentials, what fundamental architectural shift is needed to secure the software supply chain against increasingly sophisticated attacks?
As developers adopt AI tools, how can companies balance innovation speed with the escalating risk of AI-generated security flaws?

Stargazer Goblin’s $100,000 GitHub Malware Scheme: Inside a 3,000-Account Cybercrime Network Threatening the Software Supply Chain

Overview

Stargazer Goblin is a sophisticated cybercrime operation that has been abusing GitHub’s infrastructure and APIs since August 2022. It pioneered a large-scale scheme for enterprise reconnaissance and malware distribution, identified as the first of its kind on GitHub. The group uses a vast network of 'ghost' accounts, forming the Stargazers Ghost Network, which operates not only on GitHub but also on platforms like Discord, Facebook, Instagram, X, and YouTube. By leveraging these ghost accounts, Stargazer Goblin functions as a Distribution-as-a-Service (DaaS), spreading malware and posing a persistent threat to the software supply chain.

...