GitHub API enumeration campaign targeting corporate organizations
Campaign
Summary
Hide ▲
Show ▼
A GitHub API reconnaissance campaign is systematically mapping corporate organizations, repositories, and user accounts across multiple companies, expanding the risk of follow-on abuse. The operators mix automated scraping tooling with legitimate-sounding user agents and long-dormant ghost accounts to blend into normal API traffic. They also reuse compromised OAuth tokens and personal access tokens (PATs) from legitimate users. In some cases, the activity has progressed from public-data collection to private-repository cloning.
Related Happenings
Single organization's private GitHub repository cloned after confirmed access
Data Leak
H score12
First: 09.07.2026 21:38
Last: 09.07.2026 21:38
Sources 1
How related:
Data access has been confirmed in a few scenarios, with the attackers taking steps to clone a private repository belonging to a single organization.
About this happening:
**Confirmed access** to a **private GitHub repository** belonging to **one organization** marks a concrete **data exposure** and raises the risk of source-code or internal-content...
Single organization's private GitHub repository cloned after confirmed access
Data LeakHow related: Data access has been confirmed in a few scenarios, with the attackers taking steps to clone a private repository belonging to a single organization.
About this happening: **Confirmed access** to a **private GitHub repository** belonging to **one organization** marks a concrete **data exposure** and raises the risk of source-code or internal-content...
GitHub Agentic Workflows indirect prompt injection security flaw
Vulnerability
H score27
First: 07.07.2026 17:04
Last: 07.07.2026 17:04
Sources 1
About this happening:
**GitHub Agentic Workflows** has an **indirect prompt injection** flaw that can let a **public issue** leak content from **private repositories** into public comments. The risk is...
GitHub Agentic Workflows indirect prompt injection security flaw
VulnerabilityAbout this happening: **GitHub Agentic Workflows** has an **indirect prompt injection** flaw that can let a **public issue** leak content from **private repositories** into public comments. The risk is...
North Korean Contagious Interview PolinRider supply-chain campaign
Campaign
H score51
First: 04.07.2026 14:17
Last: 04.07.2026 14:17
Sources 1
About this happening:
The **Contagious Interview / PolinRider** campaign is still active, with **108 unique packages and browser extensions** published across **npm, Packagist, Go, and Google Chrome**....
North Korean Contagious Interview PolinRider supply-chain campaign
CampaignAbout this happening: The **Contagious Interview / PolinRider** campaign is still active, with **108 unique packages and browser extensions** published across **npm, Packagist, Go, and Google Chrome**....
GitBait phishing campaign targeting Mexican banks
Campaign
H score20
First: 17.06.2026 17:00
Last: 17.06.2026 17:00
Sources 1
About this happening:
A **long-running GitBait phishing campaign** is stealing **banking credentials** from customers of **Mexican financial institutions**, using **GitHub Pages** and **SheetBest** to...
GitBait phishing campaign targeting Mexican banks
CampaignAbout this happening: A **long-running GitBait phishing campaign** is stealing **banking credentials** from customers of **Mexican financial institutions**, using **GitHub Pages** and **SheetBest** to...
North Korea-aligned developer-targeting operations shift from fake interviews to recruitment phishing at scale
Threat Actor Meta
H score31
First: 15.06.2026 22:32
Last: 15.06.2026 22:32
Sources 1
About this happening:
North Korea-aligned developer-targeting operations are shifting from **fake interviews** to **recruitment-themed phishing** at scale, increasing the risk of industrialized **crede...
North Korea-aligned developer-targeting operations shift from fake interviews to recruitment phishing at scale
Threat Actor MetaAbout this happening: North Korea-aligned developer-targeting operations are shifting from **fake interviews** to **recruitment-themed phishing** at scale, increasing the risk of industrialized **crede...
Timeline
-
09.07.2026 21:38 2 articles · 2h ago
Datadog Security Labs warns of GitHub API enumeration campaigns
Initial DisclosureDatadog Security Labs warns that several overlapping campaigns are systematically enumerating corporate GitHub organizations, repositories, and user accounts through the GitHub API. The operators use automated scraping tooling, custom or legitimate-sounding user agents, long-dormant GitHub 'ghost' accounts, and compromised OAuth tokens and personal access tokens (PATs) to blend in with normal API traffic; in a few cases, the activity has progressed from public-data collection to cloning a private repository belonging to a single organization.
Show sources
- Dormant GitHub Accounts Help Attackers Blend In While Mapping Corporate Orgs — thehackernews.com — 09.07.2026 21:38
- Dormant GitHub Accounts Help Attackers Blend In While Mapping Corporate Orgs — thehackernews.com — 09.07.2026 21:38