GitHub ghost accounts and exposed PATs scrape corporate orgs through the API, with select cases cloning private repos.