Despite repeated warnings, developers continue to embed sensitive credentials such as keys, tokens, and passwords in their source code, leading to security breaches, as evidenced by Uber's 2015 incident and the thousands of secrets found in Python projects on PyPI. This widespread issue persists across various programming languages and repositories, with some exposed credentials still active and posing security risks. Secure alternatives for credential management do exist, such as environment files and secret management services provided by cloud platforms.

https://arstechnica.com/security/2023/11/developers-cant-seem-to-stop-exposing-credentials-in-publicly-accessible-code/