Changpeng Zhao Warns Crypto Devs to Rotate API Keys After GitHub Hack

GitHub says a hacker stole code from roughly 3,800 of its internal repositories after planting a poisoned plugin on an employee’s computer, raising alarm in the crypto industry over the safety of API keys saved inside code.

Binance founder Changpeng Zhao told developers to check every project for hidden keys and replace them, warning that even private repositories should now be treated as exposed.

What The Company Disclosed

GitHub said the breach began when an employee installed a malicious version of a VS Code extension, a small add-on for a code editor used by millions of developers around the world.

The company isolated the affected computer, removed the bad extension, and began swapping out critical passwords overnight. The highest-risk credentials were rotated first.

So far, the investigation suggests the hacker only pulled code from GitHub’s own internal repositories. Customer projects, organizations, and accounts show no evidence of impact.

GitHub said the attacker’s claim of about 3,800 stolen repositories lines up with what its own team has found. A fuller report will follow once the investigation is finished.

Why Crypto Developers Are on Alert

In crypto, an exposed API key can drain a trading account within minutes. Many keys also open access to wallets, custody tools, or exchange bots. That is why CZ moved quickly to warn his followers.

The sector has been hit before. A breach at infrastructure provider Vercel earlier this year forced teams to rotate keys. The 3Commas leak in 2022 exposed roughly 100,000 user keys.

A separate supply chain attack on the Bitwarden password manager stole wallet seeds and developer tokens. It then hid the stolen data inside GitHub repositories.

Developers often leave private keys inside code, build scripts, or hidden config files, assuming nobody outside the company can read them. The GitHub case shows internal systems can be broken just like public ones.

GitHub said its team is still working through the logs. Whether any of the stolen repositories contain code or secrets tied to crypto infrastructure should become clearer in the days ahead.