GitHub has confirmed that thousands of its internal repositories were accessed without authorization, prompting fresh warnings from Binance founder Changpeng “CZ” Zhao for crypto developers to immediately rotate API keys stored in code repositories.
- GitHub confirmed unauthorized access to nearly 3,800 internal repositories after an employee device was compromised.
- Binance founder Changpeng Zhao urged developers to rotate API keys stored in private and public code repositories.
- The breach surfaced days after Grafana Labs disclosed a separate GitHub-related supply chain attack targeting its codebase.
According to a statement published by GitHub on Wednesday, the Microsoft-owned platform said it detected unauthorized access tied to the compromise of an employee device and has since launched an internal investigation into the incident.
The company added that it currently has “no evidence of impact to customer information stored outside of GitHub’s internal repositories.”
Further details released by GitHub showed the breach involved a poisoned Visual Studio Code extension discovered on Tuesday. The company said the malicious extension was removed after the affected endpoint was isolated and incident response procedures were initiated.
While GitHub maintained that customer repositories and enterprise environments were not affected, the company acknowledged that roughly 3,800 internal repositories were impacted, a figure that closely matched claims later made by a hacking group known as TeamPCP.
Security Week described TeamPCP as a highly automated cybercrime group that focuses on compromising developer tools to harvest credentials and generate financial gains. Reports circulating online indicated the group attempted to sell what it claimed were “4,000 repos of private code” connected to GitHub’s internal systems.
Against that backdrop, CZ urged developers to review repositories for exposed credentials, warning that API keys stored even in private codebases should be replaced immediately.
Crypto developers rely heavily on GitHub infrastructure to manage open-source projects, trading bots, blockchain applications, and decentralized finance tools. Repositories often contain exchange API credentials, cloud infrastructure tokens, wallet access configurations, and deployment scripts, making such environments attractive targets for attackers.
GitHub said it has already rotated what it described as “critical secrets,” prioritizing credentials with the highest operational risk. The company added that its investigation remains ongoing and that teams are continuing to analyze logs and monitor for follow-on activity before releasing a full incident report.
Crypto sector faces renewed repository security concerns
Elsewhere in the industry, the GitHub breach surfaced only days after observability firm Grafana Labs disclosed a separate supply-chain attack involving unauthorized access to its GitHub repositories. Grafana said attackers downloaded portions of its codebase and later issued a ransom demand tied to possible data disclosure.
The latest developments have also revived concerns around repository-based attacks targeting crypto users and developers. Back in March, security platform OX Security detailed a phishing campaign tied to the growing popularity of OpenClaw, an open-source AI agent project later backed by OpenAI executive Sam Altman.
According to OX Security, attackers created fake GitHub accounts and used issue threads to lure developers with promises of fake token allocations linked to a non-existent $CLAW token reward campaign. Victims were then redirected to fraudulent websites designed to drain crypto wallets through malicious wallet connection prompts.
Researchers said the campaign used obfuscated JavaScript files and browser-tracking commands to monitor user activity while hiding traces through built-in deletion functions. OX Security later urged users to block domains connected to the operation and avoid linking wallets to newly surfaced websites.
Concerns around GitHub-hosted secrets are not new for Binance either. In February 2024, investigative outlet 404 Media reported that a cache of Binance-related code and infrastructure data had been publicly accessible on GitHub for months.
The report claimed the exposed material included internal diagrams, authentication-related code, and passwords associated with systems labeled “prod,” potentially referring to production infrastructure.
At the time, Binance acknowledged the leak but said the information posed only a “negligible risk” to users and platform security, while also stating that the exposed code no longer matched its production environment.
