As soon as you push something sensitive to a public GitHub project, you need to immediately assume that it has been noticed and that someone is on their way to try and exploit you. There's a <i>very</i> high chance that it's the case, especially with API keys for services like MailGun, etc, which can be used by spammers.<p>Attackers are using the Github firehose to look for credentials. You need to <i>immediately</i> revoke them.