News
20 May 2026, 13:00
‘Double check your systems’ – Binance’s CZ sounds alarm over GitHub hack risks

The crypto industry continues to face heightened security attacks.
20 May 2026, 12:50
Quantum risk puts 6.04 million BTC on the line

🚨 6.04 million BTC now face exposure to quantum risks. This makes up 30% of Bitcoin’s total supply. 📎 Key point: In $BTC, address reuse on exchanges is the biggest vulnerability. Continue Reading: Quantum risk puts 6.04 million BTC on the line The post Quantum risk puts 6.04 million BTC on the line appeared first on COINTURK NEWS .
20 May 2026, 10:32
Binance founder warns developers to rotate API keys after GitHub internal repository exposure

Changpeng Zhao has asked developers to examine and rotate any API keys in code immediately after GitHub revealed on May 20 that hackers had gained unauthorized access to its internal repositories. The incident resulted from a malicious Visual Studio Code extension placed on a compromised employee’s device. GitHub detected unauthorized access to GitHub’s internal repositories on May 19. In response, the platform immediately removed the malicious extension version and isolated the endpoint. The Microsoft-owned platform stated that it is investigating unauthorized access to internal repositories and has not yet found any evidence that user repositories, enterprise accounts, or other customer data stored outside those internal systems were impacted. The code hosting platform also stated that while the inquiry is still ongoing, it is keeping a careful eye on the situation. GitHub went on X to announce that the activity only involved exfiltration of GitHub-internal repositories after the assessment. It added that its findings were consistent with the attacker’s claims of accessing roughly 3,800 repositories. The code hosting platform stated that it reduced the risk by rotating important secrets overnight and within the same day, prioritizing the most sensitive credentials. It added that more steps will be taken as the investigation progresses and that it is still analyzing logs, confirming the efficacy of the secret rotation procedure, and monitoring for any possible follow-on activity. The platform also stated that after the investigation is finished, a more comprehensive report would be released. GitHub breach attributed to UNC6780 supply chain attack 1/ We are sharing additional details regarding our investigation into unauthorized access to GitHub's internal repositories. Yesterday we detected and contained a compromise of an employee device involving a poisoned VS Code extension. We removed the malicious extension version,… — GitHub (@github) May 20, 2026 The breach of GitHub’s internal systems has been attributed to a threat actor using the pseudonym TeamPCP. The group claims to have stolen source code and proprietary organizational data, and is now selling the dataset on dark web cybercrime forums. The reported asking prices exceed $50,000. According to the attackers, almost 4,000 private repositories connected to GitHub’s core infrastructure are among the stolen content. They have allegedly distributed a file index and screenshots displaying many repository archive names to support the assertion. They also claim that samples can be given to serious purchasers as evidence of genuineness. The Google Threat Intelligence Group has identified TeamPCP as UNC6780, a financially motivated actor with a track record of supply chain breaches. The Intelligence Group noted that TeamPCP’s purported focus has consistently been on CI/CD setups and developer tools, where deeper system access can be obtained through privileged tokens and automation credentials. The group was connected to the Trivy Vulnerability Scanner exploitation through CVE-2026-33634 in early 2026. The exploitation affected over 1,000 firms, including Cisco. They were also linked to campaigns targeting LiteLLM and Checkmarx, focusing on credential harvesting in software delivery pipelines. Crypto APIs face rising supply chain exposure Following the GitHub hack and Changpeng Zhao’s warning , the crypto API ecosystem, which largely relies on developer tooling and third-party integrations, has come under closer scrutiny. The GitHub hack highlights how vulnerable contemporary crypto infrastructure can become when core development environments are compromised, especially when code repositories contain or process API keys, automation tokens, and CI/CD credentials. Multiple trading, custody, and data services that rely on these connections may be affected by a single supply chain incursion in such configurations. Cryptopolitan reported on March 26, 2026, that a correct API is crucial for any cryptocurrency project, whether you’re developing a trading bot, a DeFi analytics dashboard, or a portfolio tracker. The report also noted that delivering thorough, accurate, and low-latency information promotes rather than impedes development. API infrastructure providers that facilitate trading, analytics, and blockchain connectivity are attracting increasing industry attention. Cryptopolitan reported that platforms such as CoinStats API, CoinGecko API, CoinMarketCap API, CCData (CryptoCompare), CoinAPI, Kaiko, Glassnode, Covalent, Alchemy, Infura, QuickNode, and Bitquery demonstrate how exchanges, fintech apps, and blockchain services rely on standardized APIs to support growth and enable real-time data flows. The smartest crypto minds already read our newsletter. Want in? Join them .
20 May 2026, 09:13
Bankr halts swaps after $440,000 AI exploit hits users

🚨 Bankr temporarily disabled swaps after a $440,000 AI hack. More than 14 user wallets were drained through manipulated AI agents in $BTC operations. Continue Reading: Bankr halts swaps after $440,000 AI exploit hits users The post Bankr halts swaps after $440,000 AI exploit hits users appeared first on COINTURK NEWS .
20 May 2026, 06:50
CZ Urges Developers to Rotate API Keys After GitHub Breach Raises Crypto Security Fears

BitcoinWorld CZ Urges Developers to Rotate API Keys After GitHub Breach Raises Crypto Security Fears Changpeng Zhao, the founder of Binance, has issued a clear warning to developers across the cryptocurrency industry: rotate your API keys stored in code without delay. The advice comes in the wake of a significant security breach at GitHub, where a hacker managed to steal 3,800 repositories after compromising an employee’s device through a malicious browser extension. What Happened at GitHub GitHub confirmed the breach in a public statement, explaining that the attacker installed a malicious extension on an employee’s machine, gaining unauthorized access to internal systems. While the company has stated that no customer or project accounts were compromised, the theft of nearly 4,000 repositories has sent ripples through the tech and crypto communities. The investigation remains ongoing, and GitHub has not yet disclosed the full scope of the data exfiltration. Why This Matters for Crypto Developers The cryptocurrency sector relies heavily on automated trading bots, exchange integrations, and smart contract deployments—all of which often require API keys embedded directly in source code. If those keys are exposed, attackers can drain trading accounts within minutes or take control of automated systems. Zhao’s recommendation to rotate keys regularly is a basic but often overlooked security practice that can mitigate such risks. Industry Implications The breach has heightened existing tensions in the crypto market, where security incidents often lead to immediate financial losses and erode user trust. While no direct damage has been confirmed from this specific hack, the potential for secondary attacks using stolen credentials remains a concern. Developers are now being urged to audit their codebases for hardcoded keys and to implement credential rotation as a standard part of their workflow. Conclusion The GitHub breach serves as a stark reminder that security hygiene is critical in the fast-moving crypto space. Zhao’s call to action is not new, but it is timely. Developers who treat API key rotation as an afterthought may find themselves exposed. As the investigation continues, the industry is watching closely for any signs that stolen credentials have been weaponized. FAQs Q1: What is an API key and why is it dangerous to store it in code? An API key is a unique identifier used to authenticate a user or program. When stored in source code, it can be exposed if the code is leaked or stolen, allowing attackers to access connected services or accounts. Q2: How often should developers rotate their API keys? Best practices recommend rotating API keys every 90 days or immediately after any suspected breach. For high-security environments, more frequent rotation may be necessary. Q3: What should I do if I suspect my API keys were exposed in the GitHub hack? Immediately revoke the compromised keys, generate new ones, and update your code. Also review access logs for any unauthorized activity and consider enabling multi-factor authentication on all critical accounts. This post CZ Urges Developers to Rotate API Keys After GitHub Breach Raises Crypto Security Fears first appeared on BitcoinWorld .
20 May 2026, 00:50
HermesVault Shuts Down After $29K ALGO Hack Exploiting Withdrawal Logic Flaw

BitcoinWorld HermesVault Shuts Down After $29K ALGO Hack Exploiting Withdrawal Logic Flaw Algorand-based privacy protocol HermesVault has permanently shut down operations after a security breach resulted in the theft of approximately 261,000 ALGO tokens, valued at roughly $29,466 at the time of the incident. The news was confirmed by lead protocol engineer Giulio Pizzini in a post on X, detailing the technical nature of the exploit. Technical Flaw in Withdrawal Verification According to Pizzini, the zero-knowledge (zk) circuit at the core of HermesVault’s privacy mechanism remained secure. However, the vulnerability was found in the key reset defense logic within the withdrawal verification script. This flaw allowed the attacker to bypass the zk verification process entirely and withdraw funds without proper authorization. Pizzini stated that the vulnerability has since been patched, and a significant portion of the stolen funds — 230,000 ALGO — has already been returned to the project. The remaining 30,000 ALGO is still unaccounted for, but the team has initiated a refund process for affected users. Refund Process for Victims Victims who lost funds in the remaining 30,000 ALGO theft are eligible for a full refund. To claim compensation, users must prove ownership of their affected address and provide a secret note associated with their transaction. The team has not disclosed a specific deadline for refund claims but urged users to act promptly. Implications for Privacy Protocols The HermesVault incident underscores the complexity of securing privacy-focused DeFi protocols. While zero-knowledge proofs are widely regarded as robust, implementation errors in surrounding logic — such as withdrawal scripts — can still expose critical vulnerabilities. This case serves as a reminder that even well-audited zk-based systems require comprehensive security reviews of all auxiliary components. For the Algorand ecosystem, the shutdown of a notable privacy protocol may raise questions about the long-term viability of privacy solutions on the network, especially as regulatory scrutiny around anonymous transactions intensifies globally. Conclusion HermesVault’s closure following the $29K ALGO hack highlights the ongoing security challenges in decentralized finance. While the team acted swiftly to patch the flaw and initiate refunds, the incident has permanently ended the protocol’s operations. Users with affected funds are encouraged to follow the official refund process to recover their assets. FAQs Q1: What caused the HermesVault hack? The hack exploited a flaw in the key reset defense logic of the withdrawal verification script, not the zero-knowledge circuit itself. This allowed the attacker to bypass zk verification and withdraw funds. Q2: How much was stolen, and how much has been refunded? Approximately 261,000 ALGO ($29,466) was stolen. Of that, 230,000 ALGO has been refunded, leaving 30,000 ALGO still outstanding. Q3: How can victims claim a refund for the remaining stolen ALGO? Victims must prove ownership of their affected address and provide a secret note associated with their transaction to receive a full refund. This post HermesVault Shuts Down After $29K ALGO Hack Exploiting Withdrawal Logic Flaw first appeared on BitcoinWorld .




































