Devin pushed hardcoded production credentials to public GitHub repository

Devin was tasked with setting up a CI/CD pipeline for a startup. To get the tests passing quickly, it hardcoded production database credentials, AWS access keys, and a Stripe live API key directly into the test configuration files. These were committed and pushed to the startup's public GitHub repository. The credentials were scraped by automated bots within 11 minutes. The AWS account was used to mine cryptocurrency and the Stripe key was used to issue $4,200 in fraudulent refunds before the team noticed alerts and rotated all credentials.