GitHub Confirms Repo Breach via VS Code Extension as Ark Adds $4.4M Bullish

Crypto News

GitHub disclosed on Wednesday that it is investigating unauthorized access to its internal repositories after an employee device was compromised through a poisoned Visual Studio Code extension. The platform said it detected and contained the intrusion on Tuesday, removing the malicious extension version, isolating the affected endpoint, and triggering its incident-response protocol. The company added there is currently no evidence customer information stored outside the internal repositories has been impacted, though it continues to monitor infrastructure for follow-on activity. The breach has unsettled developers across the blockchain ecosystem, given how heavily the open-source community relies on GitHub to host the critical code that underpins protocol clients, smart contracts, and exchange tooling.

Cathie Wood-led Ark Invest scooped up a combined $4.4 million in Bullish shares across Monday and Tuesday, adding the position to three of its flagship exchange-traded funds during a five-session pullback in the crypto-exchange stock. Trading statements show Ark accumulated 52,308 shares on Monday and 69,712 shares on Tuesday, distributing the buys across its Innovation, Next Generation Internet, and Blockchain and Fintech Innovation portfolios. Bullish stock, which closed at $36.23 on Tuesday after a 1.88% rebound, remains down 16.7% over the past month. Ark routinely rebalances when any single position drifts toward its self-imposed 10% portfolio cap.

A hacking collective calling itself TeamPCP claimed responsibility for the GitHub intrusion and began attempting to sell the stolen material on underground forums, advertising what it described as roughly 4,000 private repositories tied to GitHub's main platform and internal organizations. The group has been profiled as a sophisticated, automation-heavy operation that converts compromised developer tools into credential-harvesting pipelines built for financial gain. Binance founder Changpeng Zhao urged developers to immediately rotate any API keys committed to source code, even in private repos, warning that exposed credentials could hand attackers a direct path into exchange accounts, custody dashboards, and deployment pipelines for live smart contracts.

Ark's accumulation followed Bullish's mixed first-quarter disclosure, which posted a net loss of $604.9 million — nearly double the deficit from a year earlier — while adjusted revenue climbed to $92.8 million from $62.4 million. Chief executive Tom Farley spotlighted the firm's $4.2 billion acquisition of Equiniti as the centerpiece of its growth strategy, framing the transaction as a way to merge Bullish's tokenization stack with a regulated transfer agent and create an integrated blockchain-enabled issuer services platform. Bullish, which priced its August 2025 IPO at $37 a share, remains the sixth-largest public corporate holder of Bitcoin with roughly 24,300 BTC on its balance sheet.

The GitHub incident landed a day after Grafana Labs confirmed it had been hit by a supply-chain attack in which malicious actors accessed its GitHub repositories and pulled its codebase before issuing a ransom demand backed by the threat of public disclosure. The data-observability firm refused to pay. The back-to-back incidents have intensified concerns about the security perimeter around developer tooling, which sits at the foundation of most crypto protocols. Both attacks underscore how a single compromised extension, package, or maintainer credential can cascade into wide-scale exposure across thousands of downstream projects relying on shared open-source dependencies.

The warning from Zhao reverberated across crypto-focused developer communities, where leaked API keys can translate directly into drained exchange balances or hijacked deployment pipelines for on-chain contracts. Security teams responded by accelerating internal audits of stored credentials, mandatory key rotations, and reviews of which IDE extensions employees install on production-facing machines. The episode revives long-running debates around hot-wallet hygiene and the case for shifting operational reserves into a cold-wallet architecture. It also raises pointed questions about whether mainstream developer platforms remain a viable single point of trust for organizations responsible for billions in tokenized assets and on-chain treasuries.

Read together, the day's headlines map a single tension defining this cycle: capital is flowing into regulated, on-chain financial infrastructure even as the security perimeter around the underlying code keeps cracking. Institutional allocators such as Ark are doubling down on tokenization-led businesses with treasury exposure to digital assets, while threat actors are systematically targeting the developer supply chain that connects those businesses to their customers. The resilience of DeFi rails, exchanges, and DEX infrastructure through this cycle will hinge less on short-term price action and more on whether issuers and protocol teams can secure the source code and key material underpinning everything they ship.