How We Got a CISA GitHub Leak Taken Down in Under a Day

On May 14, 2026, GitGuardian discovered potential leaked secrets from the Cybersecurity and Infrastructure Security Agency (CISA) in a public GitHub repository named Private-CISA, which contained 844 MB of data, including CI/CD build logs, Kubernetes manifests, Terraform infrastructure code, and more, exposing cloud infrastructure details and internal operation practices. Initially perceived as a potential hoax due to suspicious file naming, the repository was later confirmed to contain real sensitive information, such as plain-text passwords and AWS secrets. The GitGuardian team reported the leak through the CERT/CC portal and contacted journalist Brian Krebs for assistance in reaching CISA. GitGuardian's efforts, including alerts from their Good Samaritan program, led to the repository being taken offline by May 15, 2026, marking a swift resolution in contrast to typical disclosure timelines, and highlighting the collaboration between GitGuardian, CISA, and other stakeholders in addressing the security breach.