Github: CZ Urges Developers to Rotate API Keys After Internal Breach

TL;DR:

• CZ urged developers to review and rotate API keys after unauthorized access to GitHub’s internal repositories was confirmed.
• The attacker was UNC6780, identified by Google. It stole source code from around 3,800 repositories and sells the data on dark web forums for over $50,000.
• The breach exposes structural vulnerabilities and severe API dependencies across the crypto ecosystem.

Changpeng Zhao, founder and former CEO of Binance, publicly called on developers to immediately audit and rotate any API keys stored in code, after GitHub confirmed unauthorized access to its internal repositories. The entry vector was a malicious extension of Visual Studio Code installed on an employee’s device.

GitHub, a platform owned by Microsoft, identified the intrusion the same day and acted immediately: it removed the malicious version of the extension, isolated the affected endpoint and rotated critical credentials overnight.

If you have API keys in your code, even private repos, now is the time to double check and change them… https://t.co/DhzATRTyNQ

— CZ BNB (@cz_binance) May 20, 2026

The company clarified that, so far, it found no evidence that user repositories, enterprise accounts, or customer data stored outside its internal systems had been compromised. The investigation continues and a more complete report will be announced once it concludes.

1/ We are sharing additional details regarding our investigation into unauthorized access to GitHub's internal repositories.

Yesterday we detected and contained a compromise of an employee device involving a poisoned VS Code extension. We removed the malicious extension version,…

— GitHub (@github) May 20, 2026

GitHub’s Internal Security Crisis

Responsibility for the attack was attributed to a group operating under the pseudonym TeamPCP, now identified by the Google Threat Intelligence Group as UNC6780, a group with financial motivation and a track record of attacks on software supply chains. According to the analysis, the group allegedly compromised around 4,000 private repositories linked to GitHub’s core infrastructure. The stolen dataset, which includes source code and organizational data, is being traded on underground forums at prices exceeding $50,000. The attackers distributed file indexes and screenshots as proof and offer samples to serious buyers.

UNC6780 has a recognizable pattern: its campaigns systematically target CI/CD environments and development tools, where privileged tokens and automation credentials allow access to be escalated. The group was linked to the exploit of the Trivy Vulnerability Scanner via CVE-2026-33634, an incident that affected more than 1,000 organizations, including Cisco, and to campaigns targeting LiteLLM and Checkmarx aimed at harvesting credentials from software delivery pipelines.

The Weight of Third-Party Tool Dependency

CZ has highlighted the deep structural dependence the crypto industry has on third-party development tools. Trading platforms, custody services, on-chain analytics, and blockchain connectivity operate on integrations that, in many cases, store API keys and automation tokens directly in code repositories. A single supply chain intrusion can simultaneously compromise multiple services that rely on those connections.