Changpeng Zhao, founder of Binance, has issued an urgent call to cryptocurrency developers: immediately rotate any API keys stored in code. The warning follows a confirmed security breach at GitHub, where a hacker compromised an employee’s device via a malicious Visual Studio Code extension, leading to the exfiltration of approximately 3,800 internal repositories.
GitHub disclosed on May 20 that unauthorized access occurred on May 19, 2026. The attacker installed a poisoned browser extension, gaining entry to internal systems. While no customer or project accounts were directly compromised, the theft of thousands of private repositories has alarmed the tech and crypto communities. GitHub stated it rotated critical secrets within hours and continues to monitor for follow-on activity, with a full report pending.
The incident was attributed to threat actor TeamPCP (tracked as UNC6780), a financially motivated group known for supply chain attacks. They are reportedly selling the stolen dataset for over $50,000 on dark web forums, claiming to hold source code and proprietary data tied to GitHub's core infrastructure. Google’s Threat Intelligence Group linked UNC6780 to prior credential-harvesting campaigns targeting developer tools like Trivy, LiteLLM, and Checkmarx.
Zhao’s warning emphasizes that crypto trading bots, exchange integrations, and smart contract deployments often embed API keys directly in codebases—making them prime targets if repositories are exposed. Even without confirmed financial losses from this breach, the potential for secondary attacks using leaked credentials is significant. Developers are urged to audit their repositories, implement regular key rotation (every 90 days or immediately after any suspected incident), and enforce multi-factor authentication on critical accounts.
