GitHub officially confirms unauthorized access to internal repositories, crypto circles on alert, developers criticize: GitHub is no longer reliable, something breaks every day

GitHub officially acknowledged this morning that its internal repositories were subject to unauthorized access, but stressed that there is currently no evidence of customer data leakage; the security community warns: if GitHub's infrastructure is infiltrated, the consequences are far more severe than a single repository leak. (Previous context: Crayfish OpenClaw goes viral as a "hacker ATM"! Official website pixel-perfectly cloned to drain Web3 wallets) (Background supplement: Beware of open-source Bots on GitHub! SlowMist Cosine: a certain free open-source bot contains a backdoor, steals Solana private keys) GitHub issued a statement earlier today (May 20, Taiwan time) via its official X account (@github), formally acknowledging that internal repositories were subject to unauthorized access and that an investigation is currently underway. We are investigating unauthorized access to GitHub's internal repositories. While we currently have no evidence of impact to customer information stored outside of GitHub's internal repositories (such as our customers' enterprises, organizations, and repositories), we are closely… — GitHub (@github) May 19, 2026 GitHub emphasized in the announcement: "There is currently no evidence that customer information stored outside of GitHub's internal repositories (including enterprise accounts, organizations, and user repositories) has been affected," and stated that it is closely monitoring the infrastructure to guard against follow-up actions, and that if any impact is discovered, customers will be notified through existing incident response channels. This incident, in which GitHub's own internal repositories were compromised, is not an isolated event but rather the latest link in a recent chain of attacks. On May 16, monitoring platform Grafana Labs publicly confirmed a GitHub Token leak incident: after obtaining the Token, attackers downloaded the complete codebase and issued a ransom demand; Grafana chose to refuse payment. On May 14, an even more shocking case surfaced: the internal GitHub repository "Private-CISA" of the U.S. Cybersecurity and Infrastructure Security Agency (CISA) was publicly exposed for a full six months, containing 844 MB of plaintext passwords, AWS Tokens, and Entra ID SAML credentials. Even the highest U.S. cyber defense agency fell victim to GitHub configuration oversights; The Register described some of the file names as "unbelievably obvious." That same month, identity security company SailPoint's GitHub repository was also breached. SecurityAffairs disclosed that the incident showed attackers were now targeting security vendors themselves, which manage massive amounts of credentials. For cryptocurrency operators, the consequences of GitHub infrastructure infiltration have already had bloody precedents. In March 2026, Palo Alto Networks' Unit42 revealed a targeted supply chain attack: the attackers' first target was the Coinbase open-source project agentkit. After Coinbase detected and blocked it, the attackers shifted ground and successfully hijacked the widely used GitHub Action "tj-actions/changed-files," ultimately affecting 23,000 repositories, of which 218 actually experienced secrets leakage. The full analysis is available in the Unit42 report. From April to May of the same year, 15 popular GitHub Action tags including "second-action" were tampered with to point to malicious commits. The Hacker News also documented this widespread tag-hijacking incident. The most direct impact on crypto users was the Bitwarden CLI incident: attackers, via a compromised GitHub Action, planted a malicious npm package in Bitwarden CLI version 2026.4.0; the program actively stole MetaMask, Phantom, and Solana wallet files. This attack chain fully demonstrated the three-stage harvesting path of "CI/CD pipeline → package manager → end-user wallet." GitHub's statement focuses on "customer repositories are safe," but the security community's concerns point to deeper threats. If attackers move laterally within GitHub's internal repositories, the truly valuable targets include: software signing keys (which can be used to forge legitimate updates), CI/CD system control (which can inject malicious code at any time), and the execution context of Dependabot or GitHub Actions (which can contaminate all downstream projects that depend on these tools). Well-known engineering commentator Gergely Orosz and developer Mario Zechner have recently publicly criticized GitHub's continued decline in stability and security; Zechner bluntly said "GitHub is no longer a reliable platform — something breaks every day." Faced with this escalating wave of GitHub supply chain threats, the security community recommends crypto projects immediately adopt the following four defensive measures: - Lock GitHub Actions to full SHA rather than tag or branch names, to prevent tag hijacking - Isolate Secrets with environments, combined with the principle of least privilege, to prevent a single Token leak from causing total collapse - Enable Push Protection and GitHub Advanced Security (GHAS) to intercept accidentally uploaded credentials at the push stage - Physically separate development machines from production signing keys, so that even if the CI environment is infiltrated, official release signatures cannot be forged GitHub stated that the investigation is still ongoing and that follow-up notifications will be issued through existing incident response channels. For crypto projects that have built their entire deployment pipeline on GitHub infrastructure, the final scope of impact of this incident can only be truly assessed once GitHub completes its internal forensics.