When security researchers refer to a "hot" or popular password dictionary on GitHub, they are usually evaluating its efficiency. A high-quality password list is optimized by probability to ensure a balance between time-to-crack and coverage. 10k-most-common.txt - GitHub

Option B — When you cannot rewrite history (enterprise constraints):

Attackers don't need to compromise repositories directly. They can exploit vulnerabilities in CI/CD workflows. In a technique called "Clone2Leak," attackers trick Git into leaking stored passwords and access tokens when a user clones or interacts with a malicious repository.

Picture this. A developer, rushing to meet a deadline, commits a quick test file to a GitHub repository. It's a simple text file—"config_backup.txt", "creds_temp.json", or the most notorious of all: . He plans to remove it later. But "later" never comes. The file remains on GitHub, exposed to the world. What's the risk? Everything.

On May 16, 2026, Grafana Labs disclosed that an attacker gained access to their GitHub environment and downloaded their entire private codebase. The extortion group CoinbaseCartel claimed responsibility. —the attackers simply exploited a misconfigured GitHub Actions workflow using the pull_request_target vulnerability.