And here we go, my new blog article is out:
"Atom plugin "gitlab-integration" leaks your tokens"
TL;DR: When you use the Atom plugin gitlab-integration you should either patch it with the mentioned workaround in the article or stop using it. Definitely you should revoke the personal access token you were using with it.
Looks like things worked out:
Sometimes it just needs a second hint :)
The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!