In the context of open source, a leaked credential can compromise the software supply chain. If a maintainer’s GitHub token is leaked in a text file, a hacker can inject malicious code into a popular library. When users update that library, they download the malware. This turns one developer's mistake into thousands of victims.
The use of plaintext password storage, particularly in files named password.txt , is a significant security risk. GitHub, a popular platform for version control and collaboration, hosts numerous repositories containing sensitive information, including passwords. This paper examines the prevalence of password.txt files in top GitHub repositories and discusses the implications of such practices. We analyze the risks associated with storing passwords in plaintext and provide recommendations for secure password management. passwordtxt github top