GitHub said on Wednesday it is investigating unauthorized access to its internal repositories following the compromise of an employee’s device. 

“While we currently have no evidence of impact to customer information stored outside of GitHub’s internal repositories, we are closely monitoring our infrastructure for follow-on activity,” the developer platform said in a statement.

In a subsequent post, GitHub said it detected and contained a compromise of an employee device involving a poisoned VS Code extension on Tuesday. “We removed the malicious extension version, isolated the endpoint, and began incident response immediately,” it added. 

GitHub is the go-to platform for developers, many of whom host their open source projects and repositories on its servers.

TeamPCP claims responsibility

Meanwhile, a hacking group called TeamPCP has reportedly claimed responsibility for the compromise and has attempted to sell the GitHub data online, claiming to have “4,000 repos of private code” related to GitHub’s main platform and internal organizations.

TeamPCP is a sophisticated, automation-heavy hacking group that turns compromised developer tools into credential-harvesting machines for financial gain, SecurityWeek reported.

TeamPCP claims responsibility on underground hacker forums. Source: Hackmanac

“If you have API keys in your code, even private repos, now is the time to double-check and change them,”  Binance founder Changpeng Zhao said. 

Related: Hackers used AI to craft zero-day attack to bypass 2FA: Google

It comes just a day after Grafana Labs, an open-source data observability company, said on Tuesday it was hit by a supply-chain attack in which malicious actors accessed its GitHub repositories and downloaded its codebase.

The attackers issued a ransom demand under threat of data disclosure, which the firm did not meet.  

This incident also came shortly after the April 28 public disclosure of a critical remote code execution vulnerability, CVE-2026-3854, that allowed authenticated users to execute arbitrary commands on GitHub’s servers.

Wiz Research, which discovered the critical flaw, reported at the time that millions of public and private repositories belonging to other users and organizations were accessible on the affected nodes.

Magazine: DeFi’s billion-dollar secret: The insiders responsible for hacks

Blockchain data platform Bubblemaps said it identified a cluster of Polymarket wallets that collectively earned $2.4 million with a 98% win rate on contracts tied to US military operations.

Nine wallets placed all their major bets just before major military developments, including the Feb. 28 attack on Iran, the killing of Iranian Supreme Leader Ayatollah Ali Khamenei and the US-Iran ceasefire agreement, Bubblemaps wrote in a Monday X post.

The accounts were all funded through centralized cryptocurrency exchanges in a tight timeframe and made some minor losing bets on Feb. 20, which likely served to “avoid attention,” according to Bubblemaps. Four of them each made around $400,000 in profit on their bets that the US would strike Iran on Feb. 28.

The investigation highlights the growing insider trading concerns tied to decentralized prediction markets such as Polymarket and Kalshi. It aimed at curbing insider trading on prediction markets.

Source: Bubblemaps

While the data platform doesn’t have definitive proof that the accounts belonged to insiders, the onchain trail is “symptomatic of someone with an unfair informational advantage,” Nicolas Vaiman, the CEO of Bubblemaps, told Cointelegraph. He added:

“We cannot say with certainty that this was an attempt to hide, but it is suspicious that funds were routed through CEXs and third-party services before funding new Polymarket accounts, effectively covering their tracks.”

US lawmakers seek stricter regulations on war-related prediction market contracts

US lawmakers have previously proposed new laws to fight the growing insider trading concerns tied to military contracts on prediction markets.

On March 10, US Democratic Party Senator Adam Schiff introduced the DEATH BETS Act, which seeks to ban federally regulated prediction markets from listing contracts tied to war, terrorism, assassination and individual deaths.

DEATH BETS Act. Source: Schiff.senate.gov

The bill came shortly after six Polymarket traders netted $1 million by betting on the US strike against Iran.

Separately, in late March, California Governor Gavin Newsom signed an executive order to curb public servants from insider trading on prediction markets tied to political or economic events they can influence.

Related: CFTC no-action letter eases event contract reporting rules

Polymarket, Kalshi, notional volume per category, weekly. Source: Dune

Politics-related contracts are currently the third-largest category on Polymarket, accounting for 12% of notional trading volume, and the fifth-largest on Kalshi, where they account for 0.7% of weekly trading volume, according to Dune data.

Magazine: Inside a 30,000 phone bot farm stealing crypto airdrops from real users 

Banks crash. Payment platforms freeze at the worst possible moment. Trading systems lag during market spikes. Financial software has quietly become the most critical — and most unforgiving — software category in existence.

One bug costs millions. One compliance gap shuts a company down. This guide covers what financial software development actually involves, what the market looks like today, and how to build something that survives contact with reality.

The State of the Market Right Now

JPMorgan employs more technologists than many software companies have total staff. Goldman Sachs has been calling itself a tech company for years — and at this point, arguing with that framing feels pointless. The demand for software development for financial services has spread across three segments: retail banking, institutional finance, and compliance infrastructure. Each has its own rules. Each punishes bad decisions differently.

The shift isn’t just about startups disrupting banks anymore. Established players are moving too, and fast. Companies building at enterprise scale — where platforms covering financial services technology solutions span everything from core banking modernization to AI-driven analytics — face a specific kind of pressure: modernize legacy COBOL systems without taking them offline. That constraint shapes almost every architectural decision.

What’s actively being prototyped and tested right now?

• Real-time payment rails — FedNow launched in the US in 2023. Instant payments have stopped being a differentiator and started being a baseline expectation.
• Embedded finance APIs — Stripe, Plaid, and Unit are letting non-financial companies offer banking features inside their own products. The line between “fintech” and “tech company with a bank account” keeps blurring.
• Tokenized assets — JPMorgan’s Onyx platform processes short-term loan transactions on distributed ledger infrastructure. Whether blockchain becomes foundational or stays niche in finance is still genuinely open.
• Cloud-native core banking — Thought Machine’s Vault platform runs with no mainframes. That’s still unusual enough to be notable.
• Post-quantum cryptography — NIST finalized its first post-quantum standards in 2024. Long-horizon financial firms are already planning migration timelines.

What Financial Software Actually Covers

“Financial software” gets used as if it means one thing. It doesn’t.

Core Banking Platforms

Core banking systems handle transactions, accounts, and ledgers — often still running on IBM Z mainframes in large institutions. Modernizing them is genuinely one of the hardest problems in enterprise software. Temenos, FIS, and Finastra sell packaged solutions. Challenger banks like N26 and Revolut built custom. Both paths come with real costs.

Trading Systems

Low-latency trading infrastructure operates in microseconds. Firms like Virtu Financial have built reputations on near-flawless execution over long stretches — that kind of consistency comes from software precision, not luck. C++ dominates here, and in some cases FPGA programming moves logic to hardware to shave off the latency that matters.

Risk and Payments

BlackRock’s Aladdin manages risk analytics for a substantial share of global institutional assets. Building something comparable isn’t a short engagement — it’s a sustained investment in data science and infrastructure. Payments are a different beast: every card swipe triggers authorization, fraud checks, settlement, and reconciliation in under two seconds. Stripe has turned that complexity into a clean developer API. The infrastructure underneath is anything but simple.

The Technical Stack

No vague “Java is a solid choice” framing here. Here’s what actually gets used.

Languages. Java still dominates enterprise banking — after decades, it’s not going anywhere. Python runs most quant finance and ML workloads. C++ handles latency-sensitive trading. COBOL still processes a significant share of daily global commerce. Yes, in 2025. Kotlin and Swift handle mobile banking. Rust is gaining ground in payment infrastructure where memory safety is non-negotiable.

Databases. PostgreSQL and Oracle handle transactional data with ACID compliance. Time-series databases like kdb+ are standard in trading environments — the query patterns are completely different from typical relational workloads. For distributed high-throughput systems, Apache Cassandra is a common answer.

Cloud. AWS GovCloud, Azure for Financial Services, Google Cloud’s Financial Services APIs — all competing for the same contracts. Capital One’s full migration to AWS became a widely-cited case study. BBVA and Deutsche Bank followed with their own significant cloud commitments.

APIs. Modern financial software development is largely integration work. PSD2 in Europe and CDR in Australia mandated API-first architectures. Every major bank now has a developer portal. Quality varies considerably.

Compliance Is Not Optional

Most teams underestimate this work. By a lot.

• PCI DSS — Non-negotiable for anything touching card data. Certification takes months, not days.
• SOX — US public companies must maintain complete, unbroken audit trails and financial controls.
• GDPR / CCPA — Fines can reach a percentage of global annual revenue. Regulators have demonstrated willingness to use that authority.
• Basel III / IV — Capital adequacy frameworks affecting how banks model and report risk.
• MiFID II — European markets regulation requiring transaction reporting and documented best execution.
• DORA — The EU’s Digital Operational Resilience Act, effective January 2025, requiring demonstrable ICT risk management and resilience testing.

Building compliance in from the start costs a fraction of adding it after launch. The Equifax breach and its aftermath — a massive settlement, years of reputational damage — remains the standard cautionary example for good reason.

AI in Finance — Useful vs. Overhyped

Worth separating the two.

Fraud detection is genuinely mature. Mastercard’s Decision Intelligence scores transactions in real time using graph neural networks that weigh device data, location, merchant context, and behavior history simultaneously. The technology works and has been production-hardened for years.

Credit scoring is more contested. ML-based models can consider far more variables than traditional FICO scoring, and some lenders report meaningful improvement in default rates. Whether every vendor claim holds up to scrutiny is debatable. The directional shift toward richer models is real; the specific results vary by context.

Algorithmic trading has been a serious discipline since the late 1980s. Renaissance Technologies is the famous example — a fund with a long, remarkable track record built on statistical models and continuous retraining. Most hedge funds now use quantitative strategies to some degree.

RegTech is arguably the most underappreciated category. ComplyAdvantage, Behavox, and NICE Actimize use NLP and ML to automate AML screening and transaction monitoring. Manual compliance at modern transaction volumes simply doesn’t scale. These tools are being procured heavily.

Custom Financial Software Development — Build vs. Buy

Buy a packaged solution or build custom? The real answer depends on specifics. That said, some patterns tend to hold.

Buying makes sense when the use case is standard — expense management, simple reporting — or when speed to market matters more than differentiation. If Salesforce Financial Services Cloud covers most of what’s needed, a custom build is a difficult case to justify.

Custom financial software development makes sense when competitive advantage depends on software performance, when existing solutions can’t meet jurisdiction-specific regulatory requirements, or when integration complexity exceeds what packaged products handle well. Revolut, N26, and Chime went custom from day one because no existing platform could support their product roadmap and growth pace. That decision created real complexity — and also created the product.

Common Mistakes in Software Development for Financial Services

These show up constantly — in startups, in enterprise teams, in consultancies.

Underestimating integration complexity. A new lending platform needs to connect with credit bureaus, KYC providers, payment rails, accounting systems, and regulatory reporting infrastructure — simultaneously. Every integration point is a potential failure mode. Mapping them before writing a line of code saves weeks of painful rework.

Ignoring disaster recovery. What happens when the primary database fails? How long does failover take? Financial software needs explicit RPO and RTO targets from day one. “We’ll figure it out later” is how organizations end up explaining to regulators why transactions disappeared.

Security as an afterthought. OWASP Top 10 vulnerabilities appear in production financial systems more often than anyone publicly admits. SQL injection, broken authentication, insecure deserialization — not exotic attack vectors. Running penetration testing only at the end is how critical issues make it to launch.

Over-engineering early. A startup building payment infrastructure doesn’t need multi-region Kubernetes clusters on day one. Build complexity when scale genuinely demands it. Premature architecture burns runway and slows everything down.

Poor audit trail design. Every financial transaction needs a complete, immutable audit trail — not just for compliance, but for debugging production issues when real money is involved. Getting the event log structure right before launch costs far less than redesigning it after.

What’s Actually Coming

Central Bank Digital Currencies have moved from research papers to live pilots. The digital euro is in its preparation phase under the European Central Bank. China’s e-CNY has been tested across multiple cities with wide participation. When CBDCs scale, payment infrastructure will need fundamental rethinking — not incremental updates.

Real-time gross settlement keeps expanding. FedNow, Faster Payments in the UK, Brazil’s PIX — instant settlement is becoming the global baseline. Any financial software being built today should treat real-time settlement as a core requirement, not a future-state feature.

Quantum computing is a longer-term concern but already on the roadmap for firms managing data with long sensitivity horizons. Current encryption standards — RSA, ECC — are theoretically vulnerable to sufficiently powerful quantum hardware. NIST’s post-quantum cryptography standards are finalized. Migration planning isn’t theoretical anymore.

Final Thought

Financial software development is demanding, regulated, technically complex, and high-stakes in ways most software categories simply aren’t. The teams that get it right tend to share common traits: they understand the domain before designing the architecture, treat compliance as a first-class feature rather than a constraint, and don’t pretend good intentions substitute for good design.

The market keeps moving. New rails, new regulations, new attack surfaces. Staying current isn’t optional — it’s the job description.

The US Commodity Futures Trading Commission (CFTC), under Chair Michael Selig, has filed a lawsuit against the state of Minnesota and its officials after lawmakers passed a bill “prohibiting prediction markets-related activities.”

In a Tuesday filing in the US District Court for the District of Minnesota, the CFTC said that Minnesota, Governor Tim Walz, Attorney General Keith Ellison and the state’s director of the department of public safety, Jon Anglin, had passed the “first outright ban” on prediction markets in the country with Senate File (SF) 4760. 

Signed into law by Walz on Monday, the bill amended Minnesota’s statutes to prohibit advertising, creating, operating or otherwise facilitating prediction market platforms, effectively banning them in the state. The law, set to go into effect on Aug. 1, specifically said that the event contracts on prediction markets platforms like Kalshi and Polymarket, including sporting events, military conflicts and weather were effectively “wagers” and therefore prohibited.

Source: CFTC

The CFTC claims in its lawsuit that it has “exclusive jurisdiction” to oversee prediction markets under the Commodity Exchange Act. The commodities regulator asked a court to “preliminarily and permanently” block the Minnesota law based on the legal premise that event contracts on the platforms were “swaps” to be regulated exclusively by the CFTC.

“If permitted to go into effect, Minnesota law will criminalize exchanges that the Commission has expressly approved, as well as event contracts that have been self-certified to the Commission and that the Commission has permitted to be listed,” said the lawsuit. “These consequences directly harm the federal government’s legally protected interest in enforcing federal law.”

Related: Crypto’s CLARITY Act faces partisan fight over ethics on Senate floor

Selig, who currently serves as the sole commissioner in the absence of nominations from US President Donald Trump, has repeatedly claimed that state-level actions against prediction market platforms would be challenged in court. Lawmakers have pressed Trump to nominate additional commissioners to form a five-person bipartisan panel at the CFTC, but the president had not announced any picks as of Tuesday.

Several state authorities have filed complaints challenging prediction market platforms’ activities, specifically alleging illegal sports betting and other prohibited actions, but Minnesota’s law appeared to be the first outright ban passed by lawmakers. The CFTC has recently sided with Kalshi in a state-level action filed in Ohio, as well as against authorities in Connecticut, Illinois, and New York over similar actions against prediction markets.

Source: Michael Selig

Cointelegraph sought comment from Polymarket but did not receive an immediate response. A Kalshi spokesperson said that the Minnesota law was “unenforceable” and a “blatant violation of the constitution and federal law.”

Minnesota passing other laws covering crypto users, investors

On Friday, Walz signed a bill into law permitting Minnesota-based banking institutions and credit unions to offer and perform “certain virtual-currency custody services.” Like the prediction markets ban, the law is set to go into effect on Aug. 1.

Minnesota lawmakers also worked to ban crypto kiosks and ATMs across the state in response to incidents of residents being scammed. Walz signed the bill into law on May 5.

Magazine: Crypto scammers face death, Aussie CGT makes Asian hubs attractive: Asia Express

Galaxy Research raised its CLARITY Act passage odds to 75% after the May 14 Senate Banking vote.

Galaxy Digital’s head of firmwide research Alex Thorn raised his estimate of the CLARITY Act becoming law in 2026 to 75%, citing the Senate Banking Committee’s 15 to 9 bipartisan vote on May 14 as the breakthrough the bill needed.

Thorn posted the timeline in Galaxy Research’s weekly brief on May 16: Senate Banking and Agriculture reconciliation in early June, Senate floor consideration by mid-June, final Senate passage before the end of June, House reconciliation through July, and a potential Trump signature the week of Aug. 3.

U.S. President Donald Trump has directed the Federal Reserve to review whether fintech and crypto firms should receive direct access to the central bank’s payment infrastructure through a new executive order focused on financial technology policy.

Under the order signed Tuesday, titled “Integrating financial technology innovation into regulatory frameworks,” the Trump administration said federal agencies should remove regulations it considers unnecessarily restrictive for financial technology firms operating in digital assets and blockchain services.

Within the order, the White House specifically asked the Federal Reserve to conduct a comprehensive review of its policies governing access to Reserve Bank payment accounts and payment services. Officials were also instructed to examine whether existing rules could be expanded to accommodate non-bank fintech and crypto firms.

Federal Reserve banks currently have authority under the Federal Reserve Act to approve or reject access requests for payment services. In practice, those accounts are typically reserved for licensed depository institutions, a requirement that has pushed several crypto companies to pursue banking-style charters in recent years.

At the same time, the administration asked the Fed to clarify whether the 12 regional Federal Reserve banks can independently approve or deny access to payment accounts, commonly known as master accounts.

Such accounts would allow crypto firms to connect directly to payment systems like Fedwire without depending on intermediary banking partners for dollar settlement and transfers.

Kraken approval intensified industry debate

Pressure around the issue increased after the Kansas City Federal Reserve approved a limited-purpose master account for Payward, the parent company of crypto exchange Kraken, earlier this year.

The arrangement gave Kraken Financial, the company’s Wyoming-chartered banking arm, direct access to core U.S. payment rails used for high-value settlements. According to earlier statements from Kraken Co-CEO Arjun Sethi, the approval represented the “convergence of crypto infrastructure and sovereign financial rails.”

Even so, the account came with restrictions. Under the Federal Reserve’s limited-purpose structure, institutions can access payment systems but cannot earn interest on reserves or borrow from the Fed’s discount window.

Soon after the approval became public in March, several U.S. banking organizations criticized the decision. The Independent Community Bankers of America said it had “deep concerns” about allowing a crypto-focused institution to access the Fed’s infrastructure under a different regulatory framework than traditional banks.

Meanwhile, the Bank Policy Institute argued the Kansas City Fed approved what it described as a “skinny” master account before the Federal Reserve finalized a formal policy governing such arrangements.

Banking groups also raised concerns over Kraken Financial’s status as a Wyoming Special Purpose Depository Institution, or SPDI, since SPDIs are not federally insured like conventional banks. According to those industry groups, granting uninsured institutions direct settlement access could create compliance and financial stability risks.

Back in December, the Federal Reserve released a proposal outlining a framework for limited-purpose master accounts. The proposal described a restricted version of central bank access that would permit payment system connectivity while excluding features traditionally available to banks.

Support for expanding access has also emerged in Congress. Last month, California Representatives Sam Liccardo and Young Kim introduced the Payments Access and Consumer Efficiency Act, known as the PACE Act, which seeks to allow certain non-bank providers access to Federal Reserve payment services.

Although the bill remains in its early stages, crypto industry groups have publicly backed the proposal as part of a push to integrate digital asset firms more directly into the U.S. financial system.

Bitget Wallet said it has integrated xStocks infrastructure, giving its 90 million users access to more than 130 tokenized stocks and ETFs through its self-custodial wallet platform.

The integration expands Bitget Wallet’s tokenized real-world assets offering to more than 300 products, including equities, commodities, precious metals and index-linked assets, according to a Tuesday announcement.

The company said its tokenized equity products have processed more than $30 billion in transaction volume since launching in 2025. The products are not available in the United States, United Kingdom or other restricted jurisdictions, according to the company.

Bitget Wallet said the launch supports both request-for-quote (RFQ) and automated-market-maker (AAM) liquidity models and allows users to trade tokenized assets with zero trading fees and gasless execution.

According to the company, users can access tokenized equities and other real-world assets from the same interface used for cryptocurrency trading, swaps and storage while retaining control of their private keys and funds.

It is now operated by Payward, the parent company of Kraken, which acquired the tokenized equities platform through its purchase of Backed Finance in late 2025.

Related: Ondo brings proxy voting to tokenized stocks and ETFs with Broadridge

Competition grows in tokenized equities market

Crypto exchanges and trading platforms are fast expanding into tokenized equities and stock-linked derivatives offerings.

In March, Coinbase launched stock perpetual futures for international users, offering leveraged 24/7 exposure to publicly traded US equities through its derivatives platform. 

Kraken also expanded its xStocks business recently with bundled crypto-and-equity investment products and tokenized equity perpetual futures for non-US users, while Binance said earlier this year it was exploring a return to tokenized equities after shutting down its stock token business in 2021 following regulatory scrutiny in Europe.

Data from RWA.xyz shows the tokenized equities market has grown to nearly $1.5 billion, with products linked to companies including Circle, Nvidia, Tesla, Alphabet and Strategy among the sector’s largest assets.

Ondo is currently the largest tokenized stocks platform by represented asset value at roughly $883 million, followed by xStocks at about $391.5 million. Several xStocks products linked to Strategy, Tesla, Nvidia and the S&P 500 index rank among the largest tokenized equity assets tracked by RWA.xyz.

Snapshot of global Tokenized Stocks sector. Source: RWA.xyz

Magazine: ETH stalls at $2.4K five times, SOL to rally to $120: Market Moves