Summary6 min read

Cybersecurity Today – Episode Summary

Title:
Researcher Finds Public GitHub Repo Exposing Sensitive CISA Credentials
Host: Jim Love
Guest: Guillaume (Security Researcher, GitGuardian)
Date: May 23, 2026

Episode Theme

This episode dives into a startling real-world breach: how a security researcher discovered a public GitHub repository exposing highly sensitive CISA (Cybersecurity and Infrastructure Security Agency) credentials and assets. The host discusses with the researcher not just the technical and procedural aspects of the leak, but also the broader lessons for organizations, security leadership, and best practices in handling and preventing such breaches.

Key Discussion Points & Insights

1. Discovery of the Breach

How it Happened:
- The researcher, Guillaume, was reviewing public GitHub repositories for secrets as part of his job at GitGuardian when he came across a folder labeled "CISA Private," which appeared to contain deeply sensitive data.
- The contents included:
  - Internal DHS (Department of Homeland Security) credentials
  - Cloud keys, tokens, plain text passwords, logs
  - "Important AWS Tokens" file with administrative credentials to AWS GovCloud servers
  - CSV files with dozens of internal CISA system credentials
  - Evidence of core system access (e.g., Landing Zone DevSecOps environment)
- The leak likely occurred through a contractor attempting to transfer materials from work to home using GitHub—unaware of the severe security risks involved.
Reaction and Escalation:
- Upon confirming the severity, Guillaume quickly advocated for responsible disclosure, directly contacting U.S. security journalist Brian Krebs for help reaching CISA quickly.
- It took nearly a full day from initial report for the exposed repository to be made private or removed, which, in context, was a fast turnaround compared with typical responses.
"It was really bad... what this researcher called the worst leak I've witnessed in my career."
— Jim Love, [01:50]

2. Background on the Researcher and GitGuardian’s Role ([05:15])

Guillaume’s Role:
- Security researcher at GitGuardian, a company focused on detecting secret leaks in code repositories, cloud, messaging services, and even developer laptops.
- GitGuardian’s “Good Samaritan Program” notifies organizations when secrets are publicly exposed, free of charge.
- The company uses both automated and manual methods to review and contextualize found secrets, emphasizing attacker perspective and real-world risk.
Long-Standing and Widespread Problem:
- Hardcoded secrets, bad secret hygiene, and accidental leaks happen not just on GitHub and GitLab, but across numerous platforms (e.g., Slack, Docker, private messaging).
- Human mistakes and unsecured workflows create persistent attack vectors.
"Hardcoding secrets and bad hygiene is something you can find everywhere really. Humans interact with secrets or what we call them, non-human identities."
— Guillaume, [07:44]

3. The Nature of the Leak & Systemic Issues

How the Leak Occurred:
- Likely a contractor’s “innocent” effort to work from home led to the creation of a public repo holding sensitive assets.
- Some hope it was a decoy or test, but quick analysis showed it was authentic, dangerous, and meticulously organized.
Systemic Failures:
- Lack of secret-scanning tools and internal auditing by even the largest organizations.
- Risks compounded by mixing personal and professional data, plus poor practice like hardcoded credentials.
"It was perfectly stored, perfectly aligned... it was not a mess. And then we made a deeper look and because of the personal information, we got the hint that it was bad."
— Guillaume, [12:51]
Responsible Disclosure Process ([13:57]):
- Guillaume reported quickly via CERT and through Brian Krebs, who liaised with CISA.
- Repository was removed within hours after notification.

4. The Speed and Quality of Incident Response ([16:30])

Commendable Response:
- CISA and its contractor responded unusually quickly—within about 24 hours, much faster than typical breaches.
- Blogger and public transparency: Both GitGuardian and Krebs published accounts to ensure facts and avoid sensationalism.
"I wanted to express my sincere thanks... because they managed to actually move really fast, even though you can believe it, 24, 26 hours is really long."
— Guillaume, [16:00]

5. Organizational Lessons and Recommendations ([17:00])

Governance Challenge:
- Treat leak risk as a governance, not just technical, problem.
- Contractors (and all developers) need ongoing security education and must follow robust controls.
- Regular tabletop exercises should include leak simulation (e.g., using this CISA incident as a playbook).
- Essential actions:
  - Implement continuous secret monitoring/scanning
  - Ensure rapid detection and revocation capabilities
  - Automate emergency response where possible
"It's really important that people actually tweak and change their mindsets..."
— Guillaume, [18:42]
Audit & Responsibility:
- Lack of basic internal audit or scanning processes at major organizations is shocking.
- Division of responsibility in modern IT increases risk—secrets spread between multiple hands, fewer clear owners.
"If you can find them, they should be able to find them. And I find that just amazing."
— Jim Love, [21:08]

6. Reflections and Industry Impact ([23:05])

Peer Response:
- Guillaume received a mostly positive response from the security community for decisive action and transparency.
Media and Public Perception:
- Despite the gravity, the story stayed mostly within professional circles, not mainstream news.
"At first I was a bit scared that people will overreact... I received a lot of really nice messages from people in the community."
— Guillaume, [23:18]

Notable Quotes & Memorable Moments

"That's the worst leak I've witnessed in my career."
— Jim Love, explaining the scale and sensitivity of this incident [01:50]
"I have my name in Krebs Dior. That's my victory."
— Guillaume, joking about being credited by Brian Krebs [03:58]
"So you need to be aware that secrets are going everywhere, sprawling everywhere..."
— Guillaume, on secret leakage and operational risk [18:34]
"What will happen at your company if a secret is leaked?"
— Guillaume, reframing leak prevention as governance [19:29]
"At some point, secret is somewhere, maybe in some organization, no one is really responsible."
— Guillaume, on organizational diffusion of responsibility [22:20]

Important Timestamps

[01:50] — Discovery and details of the CISA leak
[03:58] — Guillaume on being referenced by Brian Krebs
[05:15] — Guillaume’s background, GitGuardian’s mission
[07:44] — Secret exposure as a cross-platform problem
[10:48] — Initial disbelief and confirmation of leak seriousness
[13:57] — Steps taken to responsibly disclose the leak
[16:00] — CISA’s response and transparency
[17:50] — Organizational lessons, governance, and needed exercises
[21:08] — Host’s shock at organizational lack of self-monitoring
[23:18] — Positive community reaction and reflections

Final Thoughts

This episode vividly illustrates that even leading government agencies are vulnerable to elementary but devastating security lapses—especially through third-party contractors and poor secret hygiene. Both the host and guest stress the necessity of robust, organization-wide secret management, fast internal detection and response, and governance frameworks—turning incident stories into learning opportunities for all.

"The leaks we see every day with my team are all bad. So CISA is another scale of bad hygiene likely..."
— Guillaume, [10:30]

For security teams, managers, and C-suite alike, the big takeaway is clear:
You are probably leaking secrets. The priority must shift from shame to proactive governance, automation, and education—before attackers, not just researchers, discover your mistakes.

Loading summary

Transcript27 lines

[00:01]
A
Welcome to Cybersecurity Today on the weekend Cybersecurity Today, we'd like to thank Material Security for sponsoring this podcast. Material Security provides faster, more complete detection and response for email identity and data threats inside Google Workspace and Microsoft 365. You can contact them@material.com Security Imagine you're a researcher who looks for security issues in repos like GitHub, for instance, and your company constantly scans these public code repositories for exposed secrets, automatically alerting the offending accounts of anybody who has apparent sensitive data exposures. Your company has products and services, but this is one of those corporate good citizen things that you do now. You, as the researcher, are in a hotel room halfway across the world. Suddenly you come across a folder that's labeled with the name of a U.S. government agency responsible for cybersecurity. The folder name is CISA Private. Now, at first you think some kind of joke, misunderstanding, just a strange name for a file. I mean, it can't be the Cybersecurity and Infrastructure Security Agency of the United States. That's the agency that is set up to protect government and critical infrastructure from cyber threats. It's supposed to share threat warnings and guidance and support incident response and resilience. They certainly wouldn't put their information out on the open Internet until you look and find out what's inside and you realize this is no joke. This is very real. And the files inside are incredibly sensitive. They detail how CISA builds, tests and deploys software internally. And there are internal CISA DHS credentials and files, including cloud keys, tokens, plain text passwords, logs, and other sensitive CISA assets. One of the exposed files is titled Important AWS Tokens, including the administrative credentials to three Amazon AWS GovCloud servers. Another file in the GitHub repository says AWS workspace, Firefox, passwords, CSV and it lists plain text usernames and passwords for dozens of internal CISA systems. According to one person, those systems included one called LZ DSO, which appears to be short for Landing Zone DevSecOps, the agency's secure code development environment. As a researcher, you can start to piece together the story. Looks like some employee working for a government contractor was using GitHub to move material from a work device to his home device and in the process created what this researcher called the worst leak I've witnessed in my career. So what would you do? Well, you'd find a way to disclose it responsibly. In this case, they enlisted the aid of Brian Krebs and if you went through this, how would you describe that experience? I thought I'd ask the researcher directly. So I got in touch and we had a conversation about it. He was gracious enough to let me record it and share it with you. The first question I want to ask you. What's it like to be quoted as a source by Krebs on security?
[03:59]
B
Not expected. You're even better. You have my name in the specific URL. If you go on the article at the end, you have tags and one of the tag is my first name and last name Guillaume. So if you click on it, then you have a crebm security and the tag is Guillaume. So I have my name in Krebs Dior. That's my Victori.
[04:18]
A
I'd be happy just if Brian Krebs knew I existed.
[04:24]
B
I decided to contact him. It was a proposal to my CTO and to the CMO because we had to escalate this issue. It was really bad when I discovered on on on Thursday was in Montreal, by the way, for a conference. And when I woke up it was still there, still publicly accessible. And then I decided to go to Brian. We already exchanged last year on some leaks, but they didn't make the news. But I felt like Brian was one of the good way to. To reach out to Caesar quickly. And that's what he did. He sent them the leak. However, it was not quick enough. And that's how we also try to activate personal. Personal and professional contacts to try to
[05:04]
A
fix that quickly for my audience and for my audience to understand what is it that you do that caused you to be finding this leak?
[05:15]
B
Oh, that's my job. So giggadam is a company that does. The first job was doing secret detection. And we explained in our products a little bit. And the first I will say product or Idea, it was seven years ago from my boss, the CEO Eric Fourier was to look for secrets in GitHub. So he built a tool which is Gitgarden, what we call public monitoring, which is getting commits patches from GitHub and looking for secrets. And at first he did that for free. It was a side project before gitguardian and we still are running, still running that. It's called the Good Samaritan project program. And so if you actually hard code a secret on GitHub, it's likely that we'll catch it and send you an email. And that's what we do for a living. Of course, we do the same for private. We can scan for your GitHub GitLab we do a slack everything we even scan for secrets on developer laptop. So it's not only scanning, it's like the whole secret life cycle. And my job as a security researcher is to about how you should use a secret, what you can do with a public click secret. And last week I was at first in Austin to discuss Kubernetes secrets and what attackers can do with the secrets and what you can do as a blue team to protect yourself and also what I found publicly on the current detail. Then I flew to Montreal, I did another presentation of a joint research video with Google and at the end of the day I was looking into that public monitoring data and I was specifically looking for Kubernetes secret because it was like my thing last week and I found some secrets related to DHS and Caesar. I clicked on the link and then discover what became this private Caesar story. So on a daily basis one part of my job and my team job because I'm not the only security research at Giggard is to look at these leaks with I will say a security mind, an opposite security mindset and to try to understand the whole story. So we have other teams working on it but us, we have a specific focus on how attackers can use these things.
[07:27]
A
My perception, and I'd love to hear Your opinion is GitHub seems to be full of problems and we do stories on it almost every day. I'm just amazed at, I will say that different problems.
[07:44]
B
So here the problem is that people don't realize that it's easy to actually search for any content on GitHub and also they have bad hygiene. So hard coding a secret and pushing it to a public repository, it's bad hygiene. So that's the main cause. You have that on GitHub. You have that on GitLab. We see that on Slack, private Slack. I personally built a project from scratch doing some docker app to scan for docker images. So hard coding secrets and bad hygiene is something you can find everywhere really. Humans interact with secrets or what we call them non human identities. That's the word people use especially with agent tki that's a machine talking to a machine but it's not related to the GitHub hack. The GitHub leaks the GitHub huge attack from Wiz a few weeks ago they made to find a wonderful webinar ability. It's not related to what Microsoft is doing to GitHub it's something else. It's more generic unfortunately for the community
[08:46]
A
than GitHub and my perception and Obviously this partly would be your company's business, but this doesn't have to be this way. Yes, this is an instrumentation thing.
[09:01]
B
No, it's a bit of everything. Mates have been working for them French government. I worked for the French government for nine years, more or less what CISA is, it's called NC or nssi, which I think translation French National Information Security Agency. And we did some really, I will say hardcore vulnerabilities and hardcore research and super difficult state sponsor attacks like study and so on. And the secrets leak, the hardcoded username passwords for the. I will say for the security practitioner, it's not really an issue, it's just a password, it's a secret. That's okay. We know for years what to do. We should use the shortcut credential. We should use mfa. We know access list. So an access list should prevent an attacker to connect to my system, even if they are still my credential. So we have a bunch of techniques to, if not prevent, at least contain the effect of a leak. I drank Git Garden two years ago and I will not say that I had that mindset but for me I was like, it shouldn't be that bad. And eventually after a few days and two weeks at Git Garden, I was like, that's crazy. The thing, this is a repository leak. So it's definitely the worst I've seen, probably the worst stuff I've seen in my entire career. Not only at Git Garden, however, every day I'm dealing with, with leaks like for big companies to big organization. And this leak, they give access to internal systems and they're all pretty bad. So Caesar is another scale of badaging likely. I need individual biogene. I'm not pushing on CISA because he did a good job of closing it and cleaning it. But the leaks we see every day with my team are all bad.
[10:49]
A
So tell me what it felt like. This is a huge organization. This is the heart of United States response to security and cybersecurity security. And you're in a hotel in Montreal and you are online and you. When did you realize you were dealing with cesa?
[11:05]
B
Almost immediately because the repository name was Private Caesar. So even though no one does that.
[11:15]
A
Yeah, that was their. One of their security measures was at least they called the folder private.
[11:22]
B
So it was private solidar. And I didn't look at the representative at first because the way our internal system works, or at least the way I like to look at it, is to just have a look at the type of Secret the freshness. Is it linked recently or not? That's my start. People have different ways of looking into the data sets, but that's my way. It was also related to Kubernetes. So I just clicked on the link and I've seen the information and at first it was bad for several reasons. The repository was public, the content was weird in the sense that it was a lot of credentials hard coded. Not only the one that triggered my attention for Kubernetes, but also artifactory and other system. If I'm correct Confluencer, I'm a bit confused about everything inside, so might be wrong there. Then finally I saw the email address which would like might look like a contractor at Caesar. Then I've seen the private Caesar and then I click on the private Caesar and went to GitHub and discovered the whole thing. And at first really believe it was fake or hoax or someone maybe at Caesar playing with secret detection system. Because from time to time we see like well educated people and company advance in the cyber security field try to decoy and fake secrets Trying to in order to try it check if we can actually find them in the first place. But these things were bad. So I called a colleague show him the link the leaks and tell me what do you think? It's so well organized, you have the file name backups in your credentials. Important is important that personal data robots. One guy when you go to someone's place and you see the shelves and sometimes you see the books well organized. Or when you open a drawer and you see the pens well aligned. It was like that, perfectly stored, perfectly aligned. It was not a mess. And then we made a deeper look and because of the person information we got the hint that it was bad. So we did what we do usually, which is responsible disclosures. So our goal is to go and contact the right person quickly. In that case, we did the disclosure. I did the disclosure to cert. I just received like management really fast. And that's for me it was over. It was end of day on May 13, went out, slept and on Friday 15th it was still there private CIS and repository was still publicly accessible. And then by having another look fresh look at the other night I discovered it was even worth that at the first act. So then here. That's where we decided to we discussed this. Should we go to Brian because he's a journalist. Whoever is likely the best person to get this fixed Caesar fast again. My fear was work for the federal government for years that the state actor will actually get that. And again persistence into really important Caesar systems. So I don't know if this were important and critical Caesar system because I didn't want it in but it was my fear. So that's why we decided to go to Brian. Brian answered quickly. He told us that he forwarded the case with CISA. Then we also try to activate contacts in the U.S. it's a bit accelerated over lunch or midday quickly we managed to get email address or farmers and current season employees if I recall correctly by 45 on Friday we got attack management and one hour later around six or so the private development repository was made private removed. I don't know if it was made private or removed because there is no way for us to check that the same Message you get 404 on GitHub when it's private or removed. So you don't know. So at least it was not publicly accessible. And it was also really good because I was on my way back to France. I was about to board my plane. So Flores was really nice. And then it seemed that Brian started to talk with Cesar about the weekend to get to know better. What are they up to? Did they manage to fix? Obviously, because he's a journalist. Managed to probably ask questions to get to know what it is. And then he was working story was not in the news. It was. It was in the news on. It was my night on Tuesday.
[15:40]
A
Yeah. Yeah. And that's what I picked it up and. And went wow. We were working on something totally different at the time. Managed to drop that and start working on.
[15:50]
B
I was on my way to the office on Tuesday morning and just asked my boss okay, maybe we need to write a piece even if it's not complete for the. The Gigabyte blog. Blog. That's what we do. We try to be transparent what what we do. Also Brian is a journalist. He has a personal view on what happened. He's a US citizen different from the company. So that's why we decided to try to blog post with facts. And also it was really important for me at that point to write down that Cesar did a really good job and I wanted to express my sincere we say thanks. And because they managed to actually moving really fast, even though you can believe it, 24, 26 hours is really long. When we did disclosure most of the time people don't answer. When they answer, they take days to fix. I managed to fix another really big issue with a US company. Takes them five days to actually remove revoke the secrets. They even closed the case. It was with the bug bottle program. At first they said it's not important, it's not us. So I think Caesar fixing one day is amazing.
[17:00]
A
Yeah, I think that's important. And that's one of the things. Our job is not to shame anybody. As journalists, our job is to try and bring this, these types of stories out so that people can be proactive. And our audience consists of security professionals and management. And one of the questions I would have is if you were managing a company right now and you're looking at this and saying this was obviously a contractor, the story is that it was a contractor who was doing something fairly innocent, transferring some work so he could take it home and work obviously didn't know better. But you have to question when you're bringing in contractors, when you're bringing in people that do they have the right education, do you have the right controls? Are there other things that a company should be thinking of to avoid finding themselves in this situation they can do.
[17:50]
B
I believe that Caesar and Caesar contractor their trainings going on for nine years. We are trained and we know that stuff. So I don't know why this happened. However, the repository is telling an interesting technical story like really bad hygiene. A lot of a mix of personal information mixed with professional information. So there. When you mix both, it's. When you mix public and private data, it's a bit weird. It's a bit like where you store personal information mixed with source code. For example, you know that if something is going bad, you have the personal data, you have the professional data. Then in the professional data we add bad practices, hard coded secrets, for example, which is something bad. And a company should actually treat secret leaks as something important. It's really important that people actually tweak and change their mindsets. In presentation with my colleague Gaetan, we try to educate people and tell them that you are probably leaking secrets, but you don't know it yet. So it's a bit of a catchphrase. But what we want to say there is people in your organization are likely manipulating secrets in a way that might be badly copying and using secrets from Slack on Jira tickets. So you need to be aware that the secret they are going everywhere and sprawling everywhere. So deeply you need to think, of course, buy the garden. But first take it as a governance problem. What will happen at your company if a secret is leaked or if an attacker is able to get into your Slack? And that is more like governance problem. That's another way of putting the discussion that's a governance problem. Maybe you can put that into your Sock too. A certification, you can put that into your ISO2701 program. What will happen if a secret is leaked? So CISO, sorry, SUM2 and ISO2701, they have a tabletop exercises that you need to do every year. And what I would like people to do is take this example of the leak, the Caesar leak and use it as a. I will say a framework, a playbook, a skeleton for an exercise related to secretly, are you able to quickly discover the leak? If not, are you able to quickly know which secrets are still valid? Are you able to quickly revocate remote the secrets and so on. So everything that forexing team or blue team or emergency response team, whatever you are calling them in your organization, whatever these people would have to do, you need to think of that and automate beforehand. So what we know for a sync you have all of these SHYU campaigns this date, ANTV this week, malicious package. We had Mistral company last week. This supply chain attack, they go after secrets. So you definitely need to be prepared as a company to enter secret leak, secret being stolen and so on. So you need to know what is going on and you need to be able to act fast and revoke.
[20:57]
A
Yeah. The reason this shocks me is. And maybe it's just I'm old, but the in the days when I was running anything in IT in a large company, we had internal audit. And internal audit would do a regular review for the major issues that we would have. And yet there are these large companies not doing simple things like scanning for their own secrets. If you can find them, they should be able to find them. And I find that just amazing.
[21:29]
B
True. I think maybe yes, you're old. I'm sorry about that. I'm old too. I will soon be 46. But there's a change because maybe when we started our career as old people, I will say it was the same people doing the development, the website management, the database architecture, distributing the secret. So maybe what we did in the days was bad. At least we knew that putting a secret on the argument in the command line was not good with a multi user system. Because if you list with PS the process names you will depending on the operating system and most ones, maybe it's not possible on your OpenBSD, but you will get the password. So we knew that. But with the split of teams, the split of responsibilities, maybe this really simple subject of username password secrets is spread all over the place. So I will be the guy and think I am and giving me the key, you will be the Si, for example, we put the key somewhere into the Kubernetes system. The developer will do the code and have the application deployed automatically. So at some point secret is somewhere, maybe in some organization, no one is really responsible and that might be one of the reasons. And if you put some more spice on top of it and the spice is an agent tki, that will likely accelerate everything.
[22:47]
A
So thank you very much for this. This has been great to get your perspective, your firsthand perspective on this happens. Well, I don't know whether I wish this to happen to you again. It's nice to have a discovery and some moments of fame, but sometimes it's just nice to have a normal job where you get your work done.
[23:05]
B
Yeah, but it was fun to have my names all over the place. It was not really all over the place because I didn't receive any message from, I would say regular friends or family. So it was not on the main French news, for example. So I'm that famous yet. But still I received a lot of message from all colleagues, people in the community, a lot of. At first I was a bit scared that people will overreact because yes, we went to bribe, but what we did for a specific purpose we did. We needed to have that fixed really quickly. So I was a bit afraid of people judging and in flat tile received a lot of really nice messages on LinkedIn and when talking to people, thanking me for ending the issue really quickly and having this repository fixed, which is only the first stage. And then of course Cesar is likely and I'm sorry for them spend the weekend working on the incidents. But that's another story. Another story for them, for them to tell or not for me to explain. But it was so nice to receive all of these nice and warm messages, especially coming from the US because I'm French, not a US citizen.
[24:15]
A
Yeah, by the time this goes to air it'll be Friday and hopefully you won't be working this weekend. So I'll give you my, my what we would say in French in Canada, which is Bonfin de Samair.
[24:27]
B
No, we beauty Rocky it a little bit, but yeah.
[24:31]
A
Thank you. No rest for the weary. Thank you very much.
[24:33]
B
Nice to meet you. Thank you, Mike.
[24:37]
A
And that's our show. I hope this gave some insight into this story and the analysts who are out there trying to keep us safe. And As I noted, GitGuardian is a private company and they sell things to you but they also provide these free warnings to companies and act as good corporate citizens. So thanks to them and thanks to Guillem, who responded to me right away and managed to, in the middle of his nighttime, hook up and do this recording. I'm your host, Jim Love. David Shipley will be back in the news chair on Monday morning, about the time some of you may be in the office asking questions about how do our developers and contractors deal with secrets like this? But until then, enjoy your weekend. Here's a question worth asking what happens after a phishing email slips past your filters? Most email security tools only guard the front door, but attackers are already inside. Material security is different. It's a unified detection and response platform purpose built for Google Workspace and Microsoft 365, protecting email files and accounts all in one place. We're talking automated phishing, remediation, account takeover containment, and sensitive data protection without alert fatigue. Find out why companies like Figma, Reddit, and Lyft trust material to stop the threats. Other tools Ms. See workspace security in actionaterial security. That's material security. And if you do contact them, take a second and say thanks for sponsoring cybersecurity today.