Ouch. I have noticed some "extra" use, of Mapbox if I recall correctly, basically stats showing use of some particular services that I hadn't shipped with Poor/WhoGo Maps. But that was such small scale use that I didn't bother to react to it. I haven't seen anything that could be called malicious. But, I have thought about this, the obvious first thing to do is to revoke the key and get a new one. The next step would be to remove the keys from the source and when running qml/qmlscene, read them from environment variables and when building the RPM, write them from environment variables into JSON. The keys would still be installed as plain text, but getting them away from GitHub might help. Plain text files in RPMs and on devices could still be a problem, but that seems more difficult to solve.