Critical Infrastructure Security , Government security Senator urges classified briefing after CISA data leak on GitHub May 21, 2026 Share By Steve Zurier (DHS) Sen. Maggie Hassan, D-N.H., called for a classified briefing after news that 844 megabytes of GitHub repo data that leaked on the public internet included plain-text passwords, AWS tokens, and Entra ID SAML certificates belonging to the Cybersecurity Infrastructure and Security Agency (CISA), a common data leak. “The ultimate irony is that CISA's biggest vulnerability was not a sophisticated nation-state exploit, but the oldest flaw in the book: a developer bypassing guardrails because compliance felt like an inconvenience,” said John Carberry, solution sleuth at Xcape Inc. The issue first came to light on May 14 when GitGuardian researcher Guillaume Valadon discovered that an employee for CISA contractor Nightwing had made the data public. Valadon was taken aback at first because the repo was named “Private-CISA” and some of the file names were slugged "Kubernetes – Important-Yaml-Files; Important AWS Tokens.txt;" and "AWS – Workspace-Firefox-Passwords.csv." Despite his misgivings that it could be a hoax, Valadon knew CISA had to take down the repo immediately. According to a May 19 GitGuardian blog post , the code security firm's research team reported the leak through the CERT/CC portal on May 14 at 10:14 a.m. Eastern and worked personal contacts in parallel to speed disclosure. The blog said GitGuardian Public Monitoring surfaced the leak first and its Good Samaritan program had already sent nine emails to the commit author by May 13. The team had only the automatic acknowledgment by the morning of May 15. With the weekend approaching, they contacted security journalist Brian Krebs to forward the leak to his CISA contacts, and activated partners for a direct line in. Around 10 a.m. Eastern on May 15 ,GitGuardian said they finally reached CISA directly. The repository then went offline around 6 p.m. est on May 15. “By file names, this was not meant to be public,” said Valadon in a video GitGuardian released on the case. “Maybe this guy went fast and did that later at night, he wanted to move data from one GitHub repository to another. Remember that on GitHub if you go on GitHub by default the repository is public. He just pushed on ‘Private-CISA’ because the name is private. However, he didn’t tick the ‘Private’ box. I don’t think it was done on purpose, and again I’m speculating and CISA will know better than me.” When asked by reporters for comment, a CISA spokesperson said the agency is aware of the reported exposure and is continuing to investigate the situation. “Currently, there is no indication that any sensitive data was compromised as a result of this incident,” said the CISA spokesperson. “While we hold our team members to the highest standards of integrity and operational awareness, we are working to ensure additional safeguards are implemented to prevent future occurrences.” CISA GitHub leak: A teachable moment? The case could present a potential opening for CISA to elevate its presence in Washington, D.C., and receive much-needed funding and staffing, not to mention a new full-time director. In a May 18 SC Media news feature. security pros expressed skepticism and earlier this week expressed concerns about the agency’s effectiveness and lack of a full-time director for the past 16 months. Tim Mackey, head of software supply chain risk strategy at Black Duck, said a congressional hearing on how something was posted to GitHub is pure “political theatre” designed to publicize a failing rather than to learn from it. “Most members won’t know what ‘GitHub’ is or how to use it,” said Mackey. “Most members won’t be able to describe appropriate vs. inappropriate cybersecurity controls that might’ve prevented this incident. And all of this is distraction from the confidence building CISA needs to do — a simple root cause analysis and description of the impact and improvements made. Keeping this in the technical realm where dispassionate reviews happen and focusing on a proper root cause analysis will go further in restoring confidence than any congressional hearing.” Shane Barney, chief information security officer at Keeper Security, said calls for classified briefings often reflect the urgency surrounding high-profile cyber incidents and the need for timely government coordination. At the same time, Barney said long-term cybersecurity resilience depends on sustained operational investment that extends beyond immediate attribution efforts. “Leadership stability at CISA remains important to executing a unified national cybersecurity strategy, but persistent challenges tied to legacy systems, fragmented identity governance and the protection of decentralized public sector data require continuous oversight and modernization. The issue extends far beyond any single leadership transition — organizations are operating in an increasingly automated and rapidly evolving threat landscape that demands consistent, strategic defense measures,” said Barney. Xcape Inc.’s Carberry, pointed out that this high-profile data exposure underscores the severe business and operational risks when fundamental identity governance fails at the perimeter, even for a premier security agency. Carberry said the incident revealed that simple secret exposure can compromise cloud foundations, but the real failure point here is the bypass of automated guardrails. “While political reactions focus on organizational leadership, security executives must treat this as a stark reminder that policy without technical enforcement is a liability,” said Carberry. “Organizations must prioritize hard blocking mechanisms, specifically by enforcing mandatory secret-scanning pre-receive hooks across all code repositories and implementing strict, short-lived session tokens for all AWS and cloud infrastructure access to neutralize leaked credentials instantly.” Carberry offered three takeaways from this case for security pros: Guardrails over policy: Administrative rules mean nothing if contractors can deliberately disable or circumvent repository security scanning features. Identity as the perimeter: Cloud-based credentials and security certificates remain the highest-value targets, requiring aggressive rotation and short-lived session policies to mitigate inevitable leaks. Blast radius containment: Organizations must structurally isolate contractor environments to ensure a single exposed repository cannot jeopardize core government or enterprise cloud infrastructure. Jacob Krell, senior director, secure AI solutions and cybersecurity at Suzu Labs, added point-blank that CISA needs a full-time, confirmed director. Without one, Krell said accountability for basic operational security hygiene has no clear owner, and failures like this persist without consequence. “CISA publishes authoritative guidance on secrets management and third-party oversight,” said Krell. “Its own supply chain violated both. The agency now pushing three-day remediation deadlines for critical vulnerabilities took longer than three days to fully revoke its own exposed keys after disclosure. "The gap between what CISA directs others to do and what it delivers operationally continues to widen. That gap erodes the credibility CISA needs to function as the national coordinator for critical infrastructure defense," Krell contiuned. "Leadership continuity is not sufficient to fix this, but it’s necessary. Someone has to own the accountability for ensuring the agency practices what it publishes.” Steve Zurier Related Supply chain Socket raises $60 million for its open-source security platform SC Staff May 21, 2026 The investment, led by Thrive Capital with participation from Andreessen Horowitz and Capital One Ventures, brings Socket's total funding to $125 million. Critical Infrastructure Security Major U.S. telecom companies form new cybersecurity information sharing group SC Staff May 20, 2026 The C2 ISAC, founded by AT&T, Charter, Comcast, Cox, Lumen, T-Mobile, Verizon, and Zayo, aims to foster more candid information exchange than previously possible within government-affiliated groups. Government security Poland directs officials to cease Signal use amid cyberattack concerns SC Staff May 20, 2026 The cyberattacks did not compromise Signal's encryption but instead relied on social engineering and account takeover tactics. Related Events Cybercast State of Critical Infrastructure Security Thu Jun 11 Cybercast From code to cloud: Stopping attacks in the software supply chain On-Demand Event Virtual Conference Securing the Backbone: Strategies to Counter Cyber Threats to Critical Infrastructure in the Public Sector On-Demand Event Get daily email updates SC Media's daily must-read of the most current and pressing daily news Business Email By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy . Subscribe You can skip this ad in 5 seconds