It seems that the keys for the Git repo were stolen from Slack. However, Slack is very sure that no user data was stolen. Well, that's yet to come. Because as I know private repositories, hangs there still very CI/CD behind. This means that Slack must actually immediately renew the complete signing for their software, etc., because you never know what is lying around in some old feature branches.
I find the approach to Advisories from Slack particularly strange. The advisory has the flag "noindex" on the advisory sites[1]. This means that even here they try to hide their mistakes from the omniscient eye of Google. Also, the advisory was somehow backdated. It should have been published already on 31 December 2022. According to archives it was listed for the first time 5 days later[2]. Since I don't believe that the date was backdated by the Author, I rather assume that they simply forgot to click Publish. There were only stolen keys with which you could pull the complete repo. Oh well, you can also check in code with such keys - but well, who cares about that.
One more small note: I've never seen a repository that didn't have credentials for Mongo, PostGres or other databases hanging around.
[1]
Slack Original Advisory
[2]
Slack Advisory at wayback machine