https://blog.gitguardian.com/how-we-got-a-cisa-github-leak-taken-down-in-26-hours
Researchers at GitGuardian discovered a public GitHub repository named “Private-CISA” containing 844 megabytes of sensitive data belonging to the United States Cybersecurity and Infrastructure Security Agency (CISA), the federal body responsible for coordinating the defence of civilian government networks and critical infrastructure. The repository had been publicly accessible since 13 November 2025 and contained plain-text passwords, AWS access tokens, Microsoft Entra ID SAML certificates, Kubernetes manifests, Terraform infrastructure code, CI/CD build logs, GitHub Actions workflows, and internal operational documentation including OneNote and Word file exports. Some of the exposed credentials were still valid at the time of discovery. GitGuardian’s automated monitoring platform had already sent nine alert emails to the commit author by 13 May, a full day before the research team escalated the matter through formal disclosure channels, receiving only an automated acknowledgement in return. With the weekend approaching and no substantive response, GitGuardian contacted journalist Brian Krebs to leverage his direct contacts at CISA, and the repository was taken offline by approximately 6:00 PM on 15 May, within 26 hours of the formal report being filed.
The contents of the repository represented far more than a collection of leaked credentials. Taken together, the exposed material amounted to an operational map of CISA’s cloud infrastructure: references to AWS accounts and IAM identities, internal service endpoints, secret management paths, ArgoCD application files, and explicit instructions for GitHub organisation automation. The repository also contained what GitGuardian described as a catalogue of unsafe practices, including plain-text passwords stored in CSV files, infrastructure secrets committed directly to Git history, and documentation that instructed users to disable GitHub’s native secret scanning. Git history compounds credential exposure significantly because even after a file is deleted from the working tree, the credentials remain retrievable from the repository’s commit log unless the history is explicitly rewritten — a step that is often overlooked and technically complex to execute correctly across forks and clones that may already exist.
For Australian organisations subject to the Essential Eight maturity model or the Protective Security Policy Framework, this incident reinforces the importance of automated secrets detection across all code repositories, not just internal ones, and highlights that contractors and developers working outside directly owned repositories can create exposure that is invisible without active external monitoring. The fact that CISA, an agency whose mandate is to improve the security posture of others, sustained a six-month exposure of this nature is a pointed reminder that secrets hygiene is a discipline that demands continuous operational attention, not a one-time configuration exercise.