I inadvertently committed SES creds to GitHub. The only way I found out by an email from AWS telling me that the creds were suspended 24 hours later for a high reported spam rate.

Someone had sent 70,000 emails (which is the default daily limit at my tier). Luckily only cost ~$8.