No joke. «GitHub will forward access tokens found in public repositories to Tencent WeChat, who will notify affected users.» In other words, Tencent now has access to all of your public repositories.

Also, Github now has code recognise Tencent access tokens.

> In other words, Tencent now has access to all of your public repositories.

They already did. That's what public means. This is just an optimization to make it harder for WeChat access tokens to be inadvertently compromised without getting noticed.

If you're worried about the Chinese government having inappropriate influence over or access to various things outside China, that's in general a valid concern indeed, but facilitating credential scanning in public repositories really doesn't seem worrying.

I'm shocked by the number of respondents who felt the need to point out what public means.

Tencent already had access to all your public repositories? They're public.

Thats one thing, but its not like they have access to my public instagram photos, tweets or anything like that (/s?)

> We have partnered with Tencent WeChat to scan for *THEIR* tokens

Tencent isn't claiming ownership of these strings, it's claiming that strings with a particular format have special meaning wrt. Tencent's APIs. It has told Github about that format.

This is fundamentally similar to how UPS, DHL etc. document how to recognise their tracking numbers.

"Their" and genitive in general doesn't necessarily mean ownership. It's often used for various sorts of connection. For example, "my address" doesn't claim ownership of either the street or the house, "my age", "my wife", all connected to me somehow but not owned by me.

Not your random string not your coins. Not your random string not your monkey picture.