Still, I think it's unrealistic to expect GitHub to parse through all of their logs. First, it would be non-trivial to detect the malicious behaviour in the first place, and secondly, keeping logs that go back multiple years is certainly non-standard, particularly at the info level.
