Find notable cyber news and cases, enriched with sources, timelines, and signals.

GitHub API enumeration campaign targeting corporate organizations

Campaign
First reported
Last updated
Happening score
H score 17
1 unique sources, 1 articles

Summary

Hide ▲

A GitHub API reconnaissance campaign is systematically mapping corporate organizations, repositories, and user accounts across multiple companies, expanding the risk of follow-on abuse. The operators mix automated scraping tooling with legitimate-sounding user agents and long-dormant ghost accounts to blend into normal API traffic. They also reuse compromised OAuth tokens and personal access tokens (PATs) from legitimate users. In some cases, the activity has progressed from public-data collection to private-repository cloning.

Related Happenings

Single organization's private GitHub repository cloned after confirmed access

Data Leak
H score12 First: 09.07.2026 21:38 Last: 09.07.2026 21:38 Sources 1

How related: Data access has been confirmed in a few scenarios, with the attackers taking steps to clone a private repository belonging to a single organization.

About this happening: **Confirmed access** to a **private GitHub repository** belonging to **one organization** marks a concrete **data exposure** and raises the risk of source-code or internal-content...

GitHub Agentic Workflows indirect prompt injection security flaw

Vulnerability
H score27 First: 07.07.2026 17:04 Last: 07.07.2026 17:04 Sources 1

About this happening: **GitHub Agentic Workflows** has an **indirect prompt injection** flaw that can let a **public issue** leak content from **private repositories** into public comments. The risk is...

North Korean Contagious Interview PolinRider supply-chain campaign

Campaign
H score51 First: 04.07.2026 14:17 Last: 04.07.2026 14:17 Sources 1

About this happening: The **Contagious Interview / PolinRider** campaign is still active, with **108 unique packages and browser extensions** published across **npm, Packagist, Go, and Google Chrome**....

GitBait phishing campaign targeting Mexican banks

Campaign
H score20 First: 17.06.2026 17:00 Last: 17.06.2026 17:00 Sources 1

About this happening: A **long-running GitBait phishing campaign** is stealing **banking credentials** from customers of **Mexican financial institutions**, using **GitHub Pages** and **SheetBest** to...

North Korea-aligned developer-targeting operations shift from fake interviews to recruitment phishing at scale

Threat Actor Meta
H score31 First: 15.06.2026 22:32 Last: 15.06.2026 22:32 Sources 1

About this happening: North Korea-aligned developer-targeting operations are shifting from **fake interviews** to **recruitment-themed phishing** at scale, increasing the risk of industrialized **crede...

Timeline

  1. 09.07.2026 21:38 2 articles · 2h ago

    Datadog Security Labs warns of GitHub API enumeration campaigns

    Initial Disclosure

    Datadog Security Labs warns that several overlapping campaigns are systematically enumerating corporate GitHub organizations, repositories, and user accounts through the GitHub API. The operators use automated scraping tooling, custom or legitimate-sounding user agents, long-dormant GitHub 'ghost' accounts, and compromised OAuth tokens and personal access tokens (PATs) to blend in with normal API traffic; in a few cases, the activity has progressed from public-data collection to cloning a private repository belonging to a single organization.

    Show sources