GITGUARDIAN researcher Guillaume Valadon revealed a public GitHub repository belonging to the Cybersecurity and Infrastructure Security Agency (CISA) contained 844MB of sensitive data, including plain-text passwords, authentication tokens and other secrets, and the repository, ironically named “Private-CISA,” had been publicly accessible online since 13 November 2025.
Valadon said he first discovered the exposed repo on 14 May after GitGuardian’s Public Monitoring flagged it the day before, and the repository was real with secrets inside it. The exposure followed a broader pattern of organisations failing to contain secrets, with eager threat actors potentially able to access the data. After being alerted, CISA took the repo down in just over 24 hours, with Valadon noting that assistance from cybersecurity journalist Brian Krebs helped elevate the issue.
Dark Reading contacted CISA for comment, but the agency did not respond at press time, and Valadon emphasised that some secrets remained visible to outsiders until removal. The story highlights high-risk practices such as plain-text passwords, backups committed to Git, and instructions to disable GitHub’s secret scanning.