Changpeng Zhao required developers to immediately inspect and parse any API keys in code after GitHub revealed on May 20 that hackers had gained unauthorized access to its internal repositories. The incident was caused by a malicious Visual Studio Code extension that was placed on a compromised employee’s device.
GitHub detected unauthorized access to internal GitHub repositories on May 19. In response, the platform immediately removed the version of the malicious extension and quarantined the endpoint.
The Microsoft-owned platform said it is investigating unauthorized access to internal repositories and has yet to find any evidence that user repositories, enterprise accounts, or other customer data stored outside those internal systems were affected.
The code hosting platform also stated that while the investigation is still ongoing, it is carefully monitoring the situation.
GitHub went to X to announce that the activity only involves extracting internal GitHub repositories after evaluation. It added that its findings were consistent with the attacker’s claims of access to approximately 3,800 repositories.
The code hosting platform said it reduced risks by exchanging important secrets overnight and on the same day, prioritizing the most sensitive credentials.
She added that further steps will be taken as the investigation progresses, and that she is still analyzing records, confirming the effectiveness of the secret rotation procedure, and monitoring any potential follow-up activity. The platform also stated that after the investigation is completed, a more comprehensive report will be released.
The GitHub breach is attributed to the UNC6780 supply chain attack
1/ We are sharing additional details regarding our investigation into unauthorized access to internal GitHub repositories.
Yesterday we detected and contained a compromise on an employee’s device involving a poisoned VS Code extension. We have removed the malicious version of the extension,…
— GitHub (@github) May 20, 2026
According to the attackers, approximately 4,000 private repositories connected to GitHub’s core infrastructure are among the stolen content. They allegedly distributed a file index and screenshots displaying several repository archive names to support the assertion. They also claim that samples can be offered to serious buyers as proof of authenticity.
The Google Threat Intelligence Group identified TeamPCP as UNC6780, a financially motivated actor with a history of supply chain violations. The intelligence group noted that TeamPCP’s alleged focus has always been on CI/CD setups and developer tools, where deeper system access can be gained through tokens and automation credentials.
The group was linked to the Trivy Vulnerability Scanner exploit through CVE-2026-33634 in early 2026. The exploit affected more than 1,000 companies, including Cisco. They have also been linked to campaigns targeting LiteLLM and Checkmarx, with a focus on collecting credentials in software delivery pipelines.
Cryptocurrency APIs face increasing supply chain exposure
After hacking GitHub and Changping Zhao’s warningthe crypto API ecosystem, which relies largely on developer tools and third-party integrations, has come under close scrutiny.
The GitHub hack highlights how vulnerable contemporary cryptocurrency infrastructure is when underlying development environments are compromised, especially when code repositories contain or process API keys, automation code, and CI/CD credentials. Multiple trading, custody, and data services that rely on these communications could be affected by a single supply chain compromise in such configurations.
Cryptopolitan reported on March 26, 2026 The right API is crucial for any cryptocurrency project, whether you’re developing a trading bot, a DeFi analytics dashboard, or a wallet tracker. Report too male Providing comprehensive, accurate and low-latency information promotes development rather than hinders it.
Application Programming Interface (API) infrastructure providers that facilitate trading, analytics, and blockchain connectivity are attracting increasing interest in the industry. Cryptopolitan reported that platforms such as CoinStats API, CoinGecko API, CoinMarketCap API, CCData (CryptoCompare), CoinAPI, Kaiko, Glassnode, Covalent, Alchemy, Infura, QuickNode, and Bitquery demonstrate how exchanges, fintech applications, and blockchain services rely on standard APIs to support growth and enable real-time data flow.
