A bug in a Visual Studio extension that is developed and maintained by GitHub allowed a developer to accidentally commit his AWS access key to a public repository. The bug was confirmed and fixed, but not before hackers (probably coin miners) racked up a $6500 bill on the South African developer's AWS account.
GitHub has apologized for the bug. Visual Studio users of the extension are strongly advised to update it: https://visualstudio.github.com/
And as for including AWS access keys in your repository, yeah... don't do that. Even if your repo is private, it is probably not a good security practice, as illustrated by this poor gentleman's mishap.