Late February I discovered two public repositories on GitHub with a similar name to an Organisation I follow. Intrigued, I forked the repo and cloned it. I took a look at the git log. There were approximately 2 years of commits from three Authors to two branches (master and oeportal). Although I didn't recognise the GitHub user that published the repo, the email address of the Authors were familiar.
I skimmed through the code. It looked like a app for business financial management. There were Views for purchasing, receipting, budgets and expenditure. The application was built with an old version of Laravel framework which has SQLi and RCE vulnerabilities. Along with the code there was a compressed database dump. With the database you could get the app running local in a container. From the code you could work out where on the internet the app was running. Some of the Views included content loaded from a third-party site. Several files in the repo contained things that shouldn't be posted to the internet: usernames, passwords and API keys. The database dump also contained usernames, email addresses, passwords (hashed) and API keys for the third-party site.