Zhao urges crypto devs to rotate keys after GitHub breach

GitHub disclosed a hacker stole code from about 3,800 internal repositories after an employee installed a compromised version of a Visual Studio Code extension. The company isolated the affected machine, removed the extension and began replacing critical passwords overnight, prioritizing the highest-risk credentials.

Initial logs indicate the attacker accessed only the company’s internal repositories and there is no evidence that customer projects, organizations or accounts were affected. GitHub noted the attacker’s claim of roughly 3,800 stolen repositories aligns with the company’s findings. A fuller report will follow when the investigation is complete.

Binance CEO Changpeng Zhao urged developers to check projects and replace exposed keys. On X he wrote, “check every project for hidden keys and replace them,” and advised treating private repositories as exposed until teams complete checks and key rotations.

Developers sometimes leave API keys and private keys in source files, build scripts or configuration files. In cryptocurrency, exposed keys can allow attackers to access trading accounts, wallets, custody systems and automation tools. A compromised key can permit funds to be moved or accounts to be controlled quickly.

The sector has faced similar incidents. An infrastructure provider breach earlier this year forced teams to rotate credentials. In 2022, a breach at a trading service exposed about 100,000 user keys. A separate attack on a password manager earlier this year took wallet seed phrases and developer tokens and concealed the stolen data inside GitHub repositories.

GitHub is continuing to review logs. Whether any of the stolen internal repositories contain code or secrets tied to cryptocurrency infrastructure should become clearer in the coming days. Developers and teams are checking projects and rotating credentials to limit potential impacts.