How We Got a CISA GitHub Leak Taken Down in Under a Day

On May 14, GitGuardian found a public GitHub repository called "Private-CISA" — 844 MB of plain-text passwords, AWS tokens, and Entra ID SAML certificates belonging to CISA, exposed since November 2025. Some credentials were still valid. CISA pulled it offline within 26 hours.

Guillaume Valadon

Guillaume is a Cybersecurity Researcher at GitGuardian. He holds a PhD in networking. He likes looking at data and crafting packets. He co-maintains Scapy. And he still remembers what AT+MS=V34 means!

More posts by Guillaume Valadon.

Guillaume Valadon

19 May 2026 • 2 min read

On May 14, 2026, GitGuardian found what looked like leaked CISA secrets in a public GitHub repository named Private-CISA. It held 844 MB of data across the working tree and Git history. The working tree was 498 MB; the rest was Git history and objects.

The repository contained:

CI/CD build logs and deployment workflow documentation.
Kubernetes manifests, ArgoCD application files, and secret-related YAML files.
Terraform infrastructure code and related bundles.
GitHub Actions workflows and GitHub organization automation.
Internal documentation backups, including large OneNote / .docx exports.
Scripts for GitHub, Kubernetes, ArgoCD, and infrastructure operations.
References to AWS accounts, IAM identities, service accounts, internal service endpoints, registry locations, and secret-management paths.

The exposed material provided a detailed view into cloud infrastructure, deployment workflows, software supply-chain tooling, and internal operational practices.

At first, we thought it was a hoax, given how suspicious the directory names (Backup-April-2026/, All Backups/, LZ-Artifactory/, Kubernetes-Important-Yaml-Files/, ENTRA ID - SAML Certificates/ ...), file names (external-secret-repo-creds.yaml, CAWS GitHub Token.txt, Important AWS Tokens.txt, AWS-Workspace-Firefox-Passwords.csv, Kube-Config.txt ...), and their contents (private keys, personal and professional GitHub tokens, AWS secrets, ...) seemed too good to be true.

Personal documents, hostnames, and the careful organization of the files changed our minds. The repository was a catalogue of unsafe practices: plain-text passwords, backups committed to Git, and explicit instructions to disable GitHub's secret scanning

Our research team reported the leak through the CERT/CC portal on May 14 at 4:14 PM CET and worked personal contacts in parallel to speed disclosure.

GitGuardian Public Monitoring surfaced the leak first. By May 13, our Good Samaritan program had already sent nine emails to the commit author.

By the morning of May 15 we still had only the automatic acknowledgment. With the weekend approaching, we contacted Brian Krebs to forward the leak to his CISA contacts, and activated partners for a direct line in.

Around 16:00 CET on May 15 we reached CISA directly. The repository went offline around 6:00 PM EST on May 15, 2026. Seeing the repository taken down so fast was a relief. Credit to CISA for moving fast — most of our disclosures take far longer, and some are never fixed.

Disclosure Timeline

November 13, 2025 - Creation of the public Private-CISA Github repository and first exposures
May 14, 2026 - Incident detected by GitGuardian and reported to CERT/CC
May 15, 2026- Incident directly reported to CISA by GitGuardian
May 15, 2026- The Private-CISA GitHub repository is taken offline

Security Research

Mini Shai-Hulud: A persistent supply-chain worm

A self-replicating worm is actively compromising packages with 3M+ weekly downloads, hijacking tokens from CI/CD pipelines, and bypassing trusted publishing protections.

Guillaume Valadon

12 May 2026 – 2 min read

Security Research

The Bot Left a Fingerprint: Detecting and Attributing LLM-Generated Passwords

LLMs leave statistical fingerprints in the passwords they generate. We built a 100-year-old model to find them and detected 28,000 in the wild.

Gaetan Ferry

28 Apr 2026 – 8 min read

@bitwarden/cli - GitGuardian Views on helloworm00

Security Research

Breach explained

@bitwarden/cli - GitGuardian Views on helloworm00

GitGuardian analysis of the @bitwarden/cli compromise: GitHub used as C2, new Cloudflare exfiltration domain found, linked to April 22 Checkmarx KICS compromise via Dependabot.