@evilpacket discovered that two valid GitHub.com personal access tokens used for Electron development were published to two public NPM packages. We addressed this issue by immediately revoking the tokens. We also updated the NPM packages’ .npmignore file to match the same sensitive files that .gitignore was filtering. Additionally, we performed an audit of all usages of these tokens to ensure that no unauthorized access was granted using the leaked tokens.