Changpeng Zhao, founder of Binance, has issued an urgent advisory for cryptocurrency developers to audit and replace API keys stored in code repositories following a major security incident at GitHub. The warning comes after GitHub disclosed unauthorized access to internal repositories through a compromised employee device infected with a malicious VS Code extension.
GitHub confirmed that the breach resulted in exfiltration of approximately 3,800 internal repositories, though the company stated there is no evidence that client organizations, enterprise accounts, or customer repositories were affected. The incident began with the compromise of a single employee's device, which allowed attackers to gain access to GitHub's internal systems.
Zhao emphasized that private repositories should not be treated as secure storage for sensitive credentials, a critical distinction for cryptocurrency infrastructure. He advised developers that if API keys, tokens, environment variables, or other credentials have ever been committed to Git history, they must be revoked and reissued entirely rather than simply deleted. For crypto projects specifically, compromised exchange API keys, deployment tokens, cloud credentials, and bot authentication keys could grant attackers direct access to trading infrastructure, deployment systems, or custodial assets.
The incident underscores persistent vulnerabilities in software development workflows across the crypto sector, where supply chain security remains a persistent concern following similar incidents at Vercel and other infrastructure providers.