wget stores download URLs (and included in them potentially HTTP authentication passwords) in its extended attributes.
Upstream 1.20.1 disables this behavior by default and adds some safeguards, see:
It's already in the tree, I suggest stabilizing 1.20.1 asap.
Author: Jeroen Roovers <email@example.com>
Date: Mon Dec 31 18:00:32 2018 +0100
net-misc/wget: Stable for HPPA too.
Arches and Maintainer(s), Thank you for your work.
New GLSA Request filed.
This issue was resolved and addressed in
GLSA 201903-08 at https://security.gentoo.org/glsa/201903-08
by GLSA coordinator Aaron Bauman (b-man).