The way Git computes diffs is by more or less storing all the source code in the .git directory as objects. At first glance it looks like a bunch of hashes, but tools can pull out source code from the objects tracked within the .git directory. Not least of which, the remote URL points to their username on GitHub and the author for commits can give you their email.
Not least of which, and even more so the URL had an auth secret in it. None of mine do, hence the question. I'm confused, because git has a credentials helper specifically designed to avoid storing secrets like that, or so I thought. So what tool is storing secrets in the git remote URL?
Yes, the git directory has all current and historical versions of the files packed into it, but that's not what the OP used to get information about the scammer.
