Just one open source example … freeradius has an option to log passwords:
log {
destination = files
auth = no
auth_badpass = no
auth_goodpass = no
}
Or another example: The apache web server has a module that dumps all POST data, with passwords, in plain text:
mod_dumpio
allows for the logging of all input received by Apache and/or all output sent by Apache to be logged (dumped) to the error.log file. The data logging is done right after SSL decoding (for input) and right before SSL encoding (for output). As can be expected, this can produce extreme volumes of data, and should only be used when debugging problems.
I don’t agree that this is “absolutely malice”, it could also be stupidity and forgetfulness.
I got it a few times over the last years, once on the steam deck.