Bottom Line: CISA released a public GitHub repository that, despite being named "Private-CISA," contained secrets and credentials. The security breach was uncovered by Dark Reading.
A publicly accessible GitHub repository of the US agency CISA contained sensitive information. The ironically named "Private-CISA" repository had been viewable by anyone since November 2025.
The Cybersecurity and Infrastructure Security Agency (CISA) had to acknowledge a security breach: its public GitHub repository, which had been accessible to everyone since November 2025, contained secrets and login credentials. Particularly striking is the name of the repository – it was called “Private-CISA,” even though it was a completely public project. The security firm Dark Reading made the incident public, thereby exposing a significant failure in the management of sensitive data. The incident demonstrates how easily critical information can accidentally end up in public code repositories and what risks arise when access controls and naming conventions do not align.