Protecting valuable assets such as internal source code should be a high priority to organizations, especially to those that rely on it for sensitive operations. Attackers have on multiple occasions drawn out long campaigns to take advantage of such vulnerabilities like the use of default credentials, and it is possible for attackers to plant backdoors or add other vulnerabilities when they have administrative access to source control servers. API keys and other authentication tokens should never be stored in source code, but attackers with access to source control servers can review prior versions of the code to find sensitive information that was previously identified and removed. In a broader sense, new implementations of any technology, not just source version control, need security in mind from the start to help prevent high-value exposures such as this. Lastly, understanding where sensitive technologies are located can be equally crucial as source control can be behind various authentication and authorization controls to verify that the right users are allowed to access sensitive information.

Resources and References:

https://www.zdnet.com/article/nissan-source-code-leaked-online-after-git-repo-misconfiguration/