They don't need to proactively scan all of GitHub to exploit this kind of mistake, just active accounts that are known to be involved with cryptocurrency.

GitHub even lets you find them easily: https://github.com/search?q=language%3ASolidity&type=users