Re: A git bug?
Hidden files are a pretty common pattern for many software projects' configuration files though. Heck, even the .gitignore file is a hidden file.
I think there's a good reason to not have "sane defaults" for a gitignore file, because whatever one person might consider a perfectly fine set of things to ignore will be someone else's things they want committed.
I think in a case like this, while code hosting services could add warnings or block credentials, ultimately the onus is on the user to understand what they are committing.