Infrastructure
Enumeration
Outcome
Campaign A
Ghost accounts
Age 2–5 year old dormant profiles
Count 50+ confirmed accounts
Naming
examples
amazon-data-*, *-orb,
BirdWith*
Campaign B
Compromised tokens
Types PATs + OAuth tokens
Scale Dozens of legitimate accounts
Hosting
provider
3xktech[.]cloud
Steps 1 – 2
Automated GitHub API scraping

Automated tooling iterates over GraphQL and REST endpoints to map organizations, members, and repositories. Requests return HTTP 200. Activity repeats in 1–3 week bursts across many organizations.

Common routes

/graphql /organizations/:organization_id /organizations/:organization_id/repos /user/:user_id/followers /user/:user_id/following /user/:user_id/gists /user/:user_id/orgs /user/:user_id/repos /user/:user_id/starred
Most campaigns
Reconnaissance complete

Activity ends after public-data enumeration. Ghost accounts go silent after burst. Operator retains a full org map for downstream use.

No private access  No auth failures

Escalated
Private repo exfiltration

Compromised tokens probe private paths. In one confirmed case, repo-dumper executed successful git.clone and api.request events inside a private repository.

Datadog Security Labs