Changpeng Zhao has asked developers to examine and rotate any API keys in code immediately after GitHub revealed on May 20 that hackers had gained unauthorized access to its internal repositories. The incident resulted from a malicious Visual Studio Code extension placed on a compromised employee’s device. GitHub detected unauthorized access to GitHub’s internal repositories on May 19. In response, the platform immediately removed the malicious extension version and isolated the endpoint. The Microsoft-owned platform stated that it is investigating unauthorized access to internal repositories and has not yet found any evidence that user repositories, enterprise accounts, or other customer data stored outside those internal systems were impacted. The code hosting platform also stated that while the inquiry is still ongoing, it is keeping a careful eye on the situation. GitHub went on X to announce that the activity only involved exfiltration of GitHub-internal repositories after the assessment. It added that its findings were consistent with the attacker’s claims of accessing roughly 3,800 repositories. The code hosting platform stated that it reduced the risk by rotating important secrets overnight and within the same day, prioritizing the most sensitive credentials. It added that more steps will be taken as the investigation progresses and that it is still analyzing logs, confirming the efficacy of the secret rotation procedure, and monitoring for any possible follow-on activity. The platform also stated that after the investigation is finished, a more comprehensive report would be released. GitHub breach attributed to UNC6780 supply chain attack 1/ We are sharing additional details regarding our investigation into unauthorized access to GitHub's internal repositories. Yesterday we detected and contained a compromise of an employee device involving a poisoned VS Code extension. We removed the malicious extension version,… — GitHub (@github) May 20, 2026 The breach of GitHub’s internal systems has been attributed to a threat actor using the pseudonym TeamPCP. The group claims to have stolen source code and proprietary organizational data, and is now selling the dataset on dark web cybercrime forums. The reported asking prices exceed $50,000. According to the attackers, almost 4,000 private repositories connected to GitHub’s core infrastructure are among the stolen content. They have allegedly distributed a file index and screenshots displaying many repository archive names to support the assertion. They also claim that samples can be given to serious purchasers as evidence of genuineness. The Google Threat Intelligence Group has identified TeamPCP as UNC6780, a financially motivated actor with a track record of supply chain breaches. The Intelligence Group noted that TeamPCP’s purported focus has consistently been on CI/CD setups and developer tools, where deeper system access can be obtained through privileged tokens and automation credentials. The group was connected to the Trivy Vulnerability Scanner exploitation through CVE-2026-33634 in early 2026. The exploitation affected over 1,000 firms, including Cisco. They were also linked to campaigns targeting LiteLLM and Checkmarx, focusing on credential harvesting in software delivery pipelines. Crypto APIs face rising supply chain exposure Following the GitHub hack and Changpeng Zhao’s warning , the crypto API ecosystem, which largely relies on developer tooling and third-party integrations, has come under closer scrutiny. The GitHub hack highlights how vulnerable contemporary crypto infrastructure can become when core development environments are compromised, especially when code repositories contain or process API keys, automation tokens, and CI/CD credentials. Multiple trading, custody, and data services that rely on these connections may be affected by a single supply chain incursion in such configurations. Cryptopolitan reported on March 26, 2026, that a correct API is crucial for any cryptocurrency project, whether you’re developing a trading bot, a DeFi analytics dashboard, or a portfolio tracker. The report also noted that delivering thorough, accurate, and low-latency information promotes rather than impedes development. API infrastructure providers that facilitate trading, analytics, and blockchain connectivity are attracting increasing industry attention. Cryptopolitan reported that platforms such as CoinStats API, CoinGecko API, CoinMarketCap API, CCData (CryptoCompare), CoinAPI, Kaiko, Glassnode, Covalent, Alchemy, Infura, QuickNode, and Bitquery demonstrate how exchanges, fintech apps, and blockchain services rely on standardized APIs to support growth and enable real-time data flows. The smartest crypto minds already read our newsletter. Want in? Join them .
XRP institutional demand declines in May
