- CZ warned all developers to rotate API keys immediately, even in private repositories.
- GitHub confirmed a breach via a poisoned VS Code extension compromising an employee device.
- TeamPCP claims 3,800 internal repos were stolen and is selling the data for over $50,000.
Binance founder Changpeng Zhao issued a warning to developers as news of the GitHub breach spread across social media.
“If you have API keys in your code, even private repos, now is the time to double-check and change them,” CZ wrote on X.
The warning came as GitHub confirmed it is investigating unauthorized access to its internal repositories following claims by threat group TeamPCP that it stole data from approximately 4,000 private and internal repositories, including source code and company files.
The group is attempting to sell the stolen data for more than $50,000 on underground forums, adding that if no buyer is found, the data will be released publicly for free.
What GitHub Confirmed
GitHub said the breach originated from a compromised employee device through a poisoned Microsoft Visual Studio Code extension. The company detected and contained the compromise, removed the malicious extension, isolated the endpoint, and immediately began rotating critical credentials with the highest-impact secrets prioritized first.
In its public statement, GitHub confirmed that TeamPCP’s claims of approximately 3,800 repositories are directionally consistent with its own investigation. The company said its current assessment is that the breach involved exfiltration of GitHub-internal repositories only, with no evidence of impact to customer repositories, enterprise organizations, or user data stored outside internal systems.
GitHub said it will notify customers through established incident response channels if any customer impact is discovered and will publish a fuller report once the investigation is complete.
TeamPCP Is Still Active
The GitHub breach is not an isolated incident. The same threat group is running a separate malware campaign called Mini Shai-Hulud, a self-replicating worm that has now compromised durabletask, an official Microsoft Python client for the Durable Task workflow execution framework. Three malicious package versions have been identified: 1.4.1, 1.4.2, and 1.4.3.
According to Google-owned cloud security firm Wiz, the attacker compromised a GitHub account through a previous attack, extracted GitHub secrets from a repository the account had access to, and used those secrets to obtain a PyPI token allowing direct publication of malicious package versions.
The malware embedded in the compromised packages operates as a dropper, fetching and executing a second-stage payload from an external server. The campaign is Linux-only and spreads through AWS SSM and Kubernetes environments.
TeamPCP’s own statement about the GitHub data sale offered an unusually candid description of their intentions. The group claimed it was not attempting to extort GitHub and said the data would be deleted after a successful sale. It also warned that the information could eventually be released publicly if no buyer emerged.
Related: Echo Protocol Hack Drains $816K After Fake eBTC Mint
Disclaimer: The information presented in this article is for informational and educational purposes only. The article does not constitute financial advice or advice of any kind. Coin Edition is not responsible for any losses incurred as a result of the utilization of content, products, or services mentioned. Readers are advised to exercise caution before taking any action related to the company.
