Github: CZ Urges Developers to Rotate API Keys After Internal Breach

Guido Battigelli
Published: May 20, 2026
2:56 pm
Updated: May 20, 2026
2:56 pm

TL;DR:

CZ urged developers to review and rotate API keys after unauthorized access to GitHub’s internal repositories was confirmed.
The attacker was UNC6780, identified by Google. It stole source code from around 3,800 repositories and sells the data on dark web forums for over $50,000.
The breach exposes structural vulnerabilities and severe API dependencies across the crypto ecosystem.

Changpeng Zhao, founder and former CEO of Binance, publicly called on developers to immediately audit and rotate any API keys stored in code, after GitHub confirmed unauthorized access to its internal repositories. The entry vector was a malicious extension of Visual Studio Code installed on an employee’s device.

GitHub, a platform owned by Microsoft, identified the intrusion the same day and acted immediately: it removed the malicious version of the extension, isolated the affected endpoint and rotated critical credentials overnight.

If you have API keys in your code, even private repos, now is the time to double check and change them… https://t.co/DhzATRTyNQ

— CZ 🔶 BNB (@cz_binance) May 20, 2026

The company clarified that, so far, it found no evidence that user repositories, enterprise accounts, or customer data stored outside its internal systems had been compromised. The investigation continues and a more complete report will be announced once it concludes.

1/ We are sharing additional details regarding our investigation into unauthorized access to GitHub's internal repositories.

Yesterday we detected and contained a compromise of an employee device involving a poisoned VS Code extension. We removed the malicious extension version,…

— GitHub (@github) May 20, 2026

GitHub’s Internal Security Crisis

Responsibility for the attack was attributed to a group operating under the pseudonym TeamPCP, now identified by the Google Threat Intelligence Group as UNC6780, a group with financial motivation and a track record of attacks on software supply chains. According to the analysis, the group allegedly compromised around 4,000 private repositories linked to GitHub’s core infrastructure. The stolen dataset, which includes source code and organizational data, is being traded on underground forums at prices exceeding $50,000. The attackers distributed file indexes and screenshots as proof and offer samples to serious buyers.

UNC6780 has a recognizable pattern: its campaigns systematically target CI/CD environments and development tools, where privileged tokens and automation credentials allow access to be escalated. The group was linked to the exploit of the Trivy Vulnerability Scanner via CVE-2026-33634, an incident that affected more than 1,000 organizations, including Cisco, and to campaigns targeting LiteLLM and Checkmarx aimed at harvesting credentials from software delivery pipelines.

The Weight of Third-Party Tool Dependency

CZ has highlighted the deep structural dependence the crypto industry has on third-party development tools. Trading platforms, custody services, on-chain analytics, and blockchain connectivity operate on integrations that, in many cases, store API keys and automation tokens directly in code repositories. A single supply chain intrusion can simultaneously compromise multiple services that rely on those connections.

PeckShield Reports $26.5M in February Hack Losses, Lowest Level Since March 2025

CryptoNews

PeckShield Reports $328.6M Lost to Crypto Bridge Attacks in May

TL;DR: Peckshield recorded 8 exploits on cross-chain bridges during May 2026; cumulative losses across all protocols amount to approximately $328.6 million. April 2026 was the

Ethereum News

Vitalik Buterin Spotlights New Era of Ethereum Research Built on Raw EVM and Lean

TL;DR: Vitalik Buterin argues that formal software verification, combined with AI, can eliminate critical bugs in high-security code. For Ethereum, this is especially relevant: projects

flash news

Hedera Rolls Out Agent Kit V4 With Modular Packages and New Policy Engine

Hedera launched version 4 of its Agent Kit with two central focuses: modularity and control. The update restructures the kit into a family of independent packages under the

Blockaid and CertiK flag a Verus-Ethereum bridge exploit draining ~$11.6M in ETH, tBTC and USDC via missing source-amount validation.

flash news

Verus-Ethereum Bridge Hit by $11.6M Exploit

Blockaid and CertiK Alert reported suspicious activity tied to the Verus-Ethereum bridge. According to the alerts, the incident involved roughly $11.6M in drained assets, including

DeFi News

Felix Turns to RedStone for HIP‑3 Perps With a 4‑of‑6 Multisig Model Built for $600M Risk

TL;DR: Felix became the first protocol to launch HIP-3 markets on Hyperliquid, using RedStone’s HyperStone oracle infrastructure. HyperStone operates with a 4-of-6 independent signer verification

THORChain halted trading after a $10M-plus cross-chain exploit, while RUNE fell double digits and confidence in DeFi routing weakened.

CryptoCurrency News

THORChain Halts Trading as RUNE Slides After Exploit

TL;DR: THORChain halted trading after a cross-chain exploit drained more than $10 million across Bitcoin, Ethereum, BNB Chain and Base. RUNE dropped by double digits,

Ads

Crypto Tutorials

Crypto Reviews

Github: CZ Urges Developers to Rotate API Keys After Internal Breach

GitHub’s Internal Security Crisis

The Weight of Third-Party Tool Dependency

MOST VIEWED

PRICE PREDICTIONS

CRYPTO 101