Binance co-founder Changpeng "CZ" Zhao has issued a warning to cryptocurrency developers following a confirmed security incident at GitHub, in which the platform disclosed unauthorized access to some of its internal repositories.
Responding to the news, CZ urged developers to take immediate precautions regarding the safety of their code repositories and credentials.
"If you have API keys in your code, even private repos, now is the time to double-check and change them," CZ wrote in a post on X.
His warning extended specifically to private repositories, noting that even those may not be immune to the risks posed by the breach.
API keys are used by developers to connect applications with exchanges, wallets, cloud services, AI tools, databases, and payment systems. In the cryptocurrency space, exposed API credentials can be particularly dangerous, as they could provide unauthorized access to trading systems, withdrawal functions, backend infrastructure, or sensitive user data.
What Happened at GitHub
GitHub confirmed the security incident in a post on X, stating that it was investigating unauthorized access to its internal repositories. The platform noted that it currently has no evidence of impact to customer information stored outside of its internal repositories — such as customers' enterprises, organizations, and repositories — but said it is closely monitoring its infrastructure for any follow-on activity.
In a subsequent update, GitHub shared additional details about its investigation. According to the company, a compromise of an employee device was detected and contained, involving a poisoned Visual Studio Code (VS Code) extension. The malicious extension version was removed, the affected endpoint was isolated, and incident response procedures were initiated immediately.
GitHub's current assessment indicates that the activity involved the exfiltration of GitHub-internal repositories only. The investigation found that approximately 3,800 repositories were affected. In response, the company moved swiftly to rotate critical secrets, prioritizing the highest-impact credentials first.
Why it matters
The breach vector — a poisoned VS Code extension on an employee device — highlights that supply-chain attacks targeting developer tooling can bypass perimeter security and reach internal infrastructure directly.
Because the compromised repositories were internal to GitHub rather than customer-owned, developers cannot audit their own repos to determine exposure; the risk is opaque, making proactive credential rotation the only available mitigation.
In crypto contexts, API keys embedded in code can carry permissions beyond read-only access — including trade execution or withdrawal authorization — meaning a single exposed key could have immediate, irreversible financial consequences.
