GH provides an IP allow list and corp proxy capability to enterprise users. Unless the attacker pwned the entire corp network which is worse than leaking a token, these types of issues can mitigated. Tokens are useless if they don't originate from a specific IP space or contain the proxy header, but you have to set them up.