Binance’s CZ urges key rotation after GitHub breach

GitHub reported that a hacker stole code from roughly 3,800 of its internal repositories after installing a compromised version of a Visual Studio Code extension on an employee’s computer. The company isolated the affected machine, removed the extension and began replacing passwords and credentials, prioritizing the highest-risk secrets first.

GitHub confirmed that the attacker’s claim about the number of repositories accessed aligns with the company’s findings. Engineers are reviewing logs to determine exactly what was taken and whether any repositories contained secrets or configuration files tied to customer infrastructure.

So far, GitHub’s investigation shows no evidence that customer projects, organizations or accounts were directly accessed. The company said a fuller report will follow when the review is complete.

The incident prompted an immediate response from the crypto sector because many development teams store API keys, private keys and other credentials inside code, build scripts or configuration files. An exposed API key can allow an attacker to move funds, manipulate trading bots or access wallet systems in a short time.

Binance founder Changpeng Zhao posted on X that developers should “check every project for hidden keys and replace them,” and he advised treating private repositories as exposed until teams can confirm otherwise.

Security leaders pointed to recent breaches that forced rapid key rotations. Earlier this year, a breach at an infrastructure provider required customers to replace keys after attackers accessed build environments. In 2022, a leak tied to a trading service exposed roughly 100,000 user keys. A separate supply-chain compromise involving a password manager resulted in stolen wallet seeds and developer tokens being concealed inside GitHub repositories.

GitHub said it began an overnight process to rotate credentials and continues to analyze activity logs. The company emphasized ongoing work to identify whether any stolen internal repositories include data that could affect external services.

In the interim, developers and firms have been advised to rotate API keys, search codebases for embedded credentials, and replace any secrets found in public or private repositories until investigations can confirm those secrets were not exposed.