RSS

We Got a CISA GitHub Leak Taken Down in Under a Day

saikatsg1 pts0 comments

How We Got a CISA GitHub Leak Taken Down in Under a Day

GitHub icon

LinkedIn icon

YouTube icon

Twitter icon

Bluesky icon

Table of contents

On May 14, 2026, GitGuardian found what looked like leaked CISA secrets in a public GitHub repository named Private-CISA. It held 844 MB of data across the working tree and Git history. The working tree was 498 MB; the rest was Git history and objects.<br>The repository contained:<br>CI/CD build logs and deployment workflow documentation.<br>Kubernetes manifests, ArgoCD application files, and secret-related YAML files.<br>Terraform infrastructure code and related bundles.<br>GitHub Actions workflows and GitHub organization automation.<br>Internal documentation backups, including large OneNote / .docx exports.<br>Scripts for GitHub, Kubernetes, ArgoCD, and infrastructure operations.<br>References to AWS accounts, IAM identities, service accounts, internal service endpoints, registry locations, and secret-management paths.<br>The exposed material provided a detailed view into cloud infrastructure, deployment workflows, software supply-chain tooling, and internal operational practices.<br>At first, we thought it was a hoax, given how suspicious the directory names (Backup-April-2026/, All Backups/, LZ-Artifactory/, Kubernetes-Important-Yaml-Files/, ENTRA ID - SAML Certificates/ ...), file names (external-secret-repo-creds.yaml, CAWS GitHub Token.txt, Important AWS Tokens.txt, AWS-Workspace-Firefox-Passwords.csv, Kube-Config.txt ...), and their contents (private keys, personal and professional GitHub tokens, AWS secrets, ...) seemed too good to be true.<br>Personal documents, hostnames, and the careful organization of the files changed our minds. The repository was a catalogue of unsafe practices: plain-text passwords, backups committed to Git, and explicit instructions to disable GitHub's secret scanning<br>Our research team reported the leak through the CERT/CC portal on May 14 at 4:14 PM CET and worked personal contacts in parallel to speed disclosure.<br>GitGuardian Public Monitoring surfaced the leak first. By May 13, our Good Samaritan program had already sent nine emails to the commit author.<br>By the morning of May 15 we still had only the automatic acknowledgment. With the weekend approaching, we contacted Brian Krebs to forward the leak to his CISA contacts, and activated partners for a direct line in.<br>Around 16:00 CET on May 15 we reached CISA directly. The repository went offline around 6:00 PM EST on May 15, 2026. Seeing the repository taken down so fast was a relief. Credit to CISA for moving fast — most of our disclosures take far longer, and some are never fixed.<br>Disclosure Timeline<br>November 13, 2025 - Creation of the public Private-CISA Github repository and first exposures<br>May 14, 2026 - Incident detected by GitGuardian and reported to CERT/CC<br>May 15, 2026- Incident directly reported to CISA by GitGuardian<br>May 15, 2026- The Private-CISA GitHub repository is taken offline<br>Preventing This In Your Organization

The CISA GitHub leak is a reminder that one public repository can expose far more than a few credentials. It can reveal cloud tokens, certificates, CI/CD logs, deployment files, backups, and the operational map that attackers need to move quickly through your systems.<br>If you are concerned that this could happen to your organization, GitGuardian gives you a clear path from quick validation to full exposure management.<br>Check individual credentials with HasMySecretLeaked to see whether a secret has already appeared in public exposure data.<br>Run a GitHub Security Audit to understand your company’s public GitHub exposure, including leaks outside repositories you directly own.<br>Book a demo with GitGuardian and we can run a more in depth scan of public repositories on GitHub to help you understand your exposure through developers and contractors.

Related Articles

Security Research

Mini Shai-Hulud: A persistent supply-chain worm

A self-replicating worm is actively compromising packages with 3M+ weekly downloads, hijacking tokens from CI/CD pipelines, and bypassing trusted publishing protections.

Guillaume Valadon

12 May 2026<br>2 min read

Security Research

The Bot Left a Fingerprint: Detecting and Attributing LLM-Generated Passwords

LLMs leave statistical fingerprints in the passwords they generate. We built a 100-year-old model to find them and detected 28,000 in the wild.

Gaetan Ferry

28 Apr 2026<br>8 min read

Security Research

Breach explained

@bitwarden/cli - GitGuardian Views on helloworm00

GitGuardian analysis of the @bitwarden/cli compromise: GitHub used as C2, new Cloudflare exfiltration domain found, linked to April 22 Checkmarx KICS compromise via Dependabot.

Guillaume Valadon

23 Apr 2026<br>2 min read

Security Research

Breach explained

Vercel April 2026 Incident: Non-Sensitive Environment Variables Need Investigation Too

Vercel's Context.ai breach exposed environment variables that weren't marked sensitive. Learn how to pull and scan your secrets with...

github cisa gitguardian repository public leak

Related Articles

Elevated error rates on requests to multiple models

recroad9 ptsclaude incident islands rates elevated error

Donald Trump and sons to be 'forever' exempt from tax audits

doener9 ptsdigital access newsletters premium financial times

PopuLoRA: Co-Evolving LLM Populations for Reasoning Self- Play

AMavorParker8 ptstasks model training self populora play

Old Reddit Is Down

Crunsher7 ptsdata autoplay videoplayerelement comments function false

The ultimate female fantasy – A feminist critique of Beauty and the Beast

muge6 ptsbeast story paglia beauty older butler
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.