Github

incident 2026-05-23
The 'Private-CISA' Leak: A Contractor Left GovCloud Keys and Artifactory Creds Public on GitHub for Six Months
A CISA contractor's public GitHub repo exposed AWS GovCloud admin keys, internal Artifactory credentials, and plaintext passwords to dozens of agency systems for roughly six months.
credential-leak github aws-govcloud secrets-management devsecops cisa
Vulnerabilities 2026-04-29
CVE-2026-3854: A Single Git Push Owned GitHub.com — and 88% of Enterprise Servers Were Still Vulnerable at Disclosure
Wiz disclosed a CVSS 8.7 RCE in GitHub's internal git push pipeline. Any authenticated user could execute arbitrary commands on backend servers with one git push. 88% of Enterprise Server instances were still unpatched on disclosure day.
github github-enterprise-server rce command-injection babeld git ci-cd CVE-2026-3854

The 'Private-CISA' Leak: A Contractor Left GovCloud Keys and Artifactory Creds Public on GitHub for Six Months