It's the actual source code, but this is the result of two known WONTFIX issues on GitHub:
* Any commit can be attributed to any user on the site by way of the author/committer fields in git. No authentication or checking is done.
* Any content can be attached to any repository that accepts pull requests, and will be accessible on that repository's url if you have its hash (previous discussion: https://news.ycombinator.com/item?id=24882921)
GitHub allows enterprise customers to run their own GitHub instance on-premises, so any one of those could have peeked inside the VM and pulled out the source code.