It seems every organization is exposing secrets on the Internet these days — even the US government. **GitGuardian** researcher **Guillaume Valadon** revealed he discovered a public **GitHub** repository belonging to the **Cybersecurity and Infrastructure Security Agency (CISA)** that contained 844MB of sensitive data, including plain-text passwords, authentication tokens, and other secrets. Despite being named "Private-CISA," the repo was publicly accessible online since Nov. 13, 2025. In a [blog post](https://blog.gitguardian.com/how-we-got-a-cisa-github-leak-taken-down-in-26-hours/), **Valadon** said he first discovered the exposed repo May 14 after **GitGuardian's** Public Monitoring, which continuously scans public sources like **GitHub** for leaked secrets, flagged the repository the day before. After taking a peek, he first suspected it was a hoax because the contents of repo "seemed too good to be true." Alas, the repo was real, and so were the secrets contained inside. **CISA's** blunder marks the latest example of an unfortunate trend — organizations failing to contain the sprawl of secrets and accidentally exposing sensitive datasets on the Internet, where eager threat actors stand ready to sweep them up. Related: [Interpol's 'Operation Ramz' Pioneers Cross-Region Collabs in Middle East](https://www.darkreading.com/cybersecurity-operations/interpol-operation-ramz-cross-region-middle-east) ## Attackers Gain 'Detailed View Into Cloud Infrastructure' **Valadon** found the repo contained some eye-popping directory names and file names, including "Important AWS Tokens.txt" and "ENTRA ID - SAML Certificates/". In fact, the repo contained not only those tokens and **SAML** certificates but plain-text passwords, private keys, and other credentials, some of which were still valid. Additionally, the repo housed CI/CD build logs, deployment workflow documentation, **Kubernetes** manifests, **GitHub Actions** workflows, **GitHub** organization automation, and a host of **AWS** data, such as user accounts, identity and access management (IAM) data, service accounts, and secret-management paths, among other items. "The exposed material provided a detailed view into cloud infrastructure, deployment workflows, software supply-chain tooling, and internal operational practices," **Valadon** wrote. **Dark Reading** contacted **CISA** for comment but the agency did not respond at press time. It's unclear if the secrets have been accessed in the six months the repo's been online. Studies have shown that attackers monitor cloud assets like **GitHub** repos for exposed secrets and can [jump on leaks within mere minutes](https://www.techtarget.com/searchsecurity/news/366542352/Attackers-discovering-exposed-cloud-assets-within-minutes) of the data going online. **Valadon** tells **Dark Reading** that an "authoritative answer will require **GitHub's** cooperation," because external views of repos are limited. "What we can see from outside is that the repository was never forked, based on public **GitHub** events. That's a weak but real signal that it didn't circulate widely," he says. "We can't observe clones from the outside, so we can't rule out that an individual downloaded a copy, but that's an inference, not a confirmation." Related: [Looking Back, Looking Forward: Digesting a Dynamic Bouillabaisse of Cyber Evolution](https://www.darkreading.com/cybersecurity-operations/looking-back-looking-forward-bouillabaisse-cyber-evolution) ## CISA's High-Risk Practices Led to Exposure The good news is that after alerting **CISA**, the agency took down the repo in just over 24 hours, although **Valadon** noted that it took some assistance from cybersecurity journalist **Brian Krebs**, who connected with his contacts at the agency and elevated the issue. "Credit to **CISA** for moving fast — most of our disclosures take far longer, and some are never fixed," **Valadon** wrote. The bad news is, **CISA** personnel were engaging in high-risk behavior. "The repository was a catalogue of unsafe practices: plain-text passwords, backups committed to Git, and explicit instructions to disable **GitHub's** secret scanning," he wrote. **Valadon** tells **Dark Reading** that based on an analysis of the repo, the most likely explanation is that because some of the commits contained hardcoded secrets, **GitHub's** push protection feature was blocking the pushes. "Rather than remove the secrets, someone documented how to disable the control so the commits would go through," he says. Related: [AI Drives Cybersecurity Investments, Widening 'Valley of Death'](https://www.darkreading.com/cybersecurity-operations/ai-cybersecurity-investments-valley-death) This, **Valadon** adds, is bad practice that mature organizations shun. Instead, they treat such security features like