Congress Is Just Now Demanding Answers About a Leak We Filed in May. Four Times This Week the News Caught Up — Here's the Honest Reason Why.
- Patrick Duggan
- 1 minute ago
- 4 min read
Four stories broke into the headlines this week that we had already written up — one of them almost two months ago. That is the kind of sentence a threat-intel shop is tempted to set in bold and put on a billboard. We are going to resist, because the honest version is more useful than the victory lap, and the honest version includes the part where we were not clever at all.
Here is the ledger. Our date, then theirs.
The CISA leak: us, May 19. Congress, this week.
A contractor for CISA — the federal agency that writes the cybersecurity guidance everyone else follows — kept a public GitHub repository, helpfully named "Private-CISA," containing 844 megabytes of credentials, internal blueprints, and signed certificates, including keys to three AWS GovCloud accounts. It sat in the open from November 2025 to May 2026. Six months. This week, lawmakers in both chambers started demanding answers.
We published it on May 19, under the title "Six Months. 844 Megabytes. Three GovCloud Accounts." The gap between our write-up and the Congressional letter is roughly seven weeks.
Now the humble part, because it matters: we did not find this. GitGuardian's automated scanner caught the repo on May 14. Brian Krebs and the researchers at Seralys did the reporting and notified CISA the next day. The discovery, the confirmation, the shoe-leather — all theirs, and they deserve the credit without an asterisk. What we did was read their work the day it landed, recognize it as the exact class of exposure we scan for in our own stack, and put it in front of readers while it was still fresh. That is a different job than breaking it, and a smaller one. It is just a faster one than a committee.
The irony writes itself and we will let it: the agency whose Known Exploited Vulnerabilities catalog we cross-reference on every single scan left its GovCloud keys on GitHub for half a year. We are not pointing at that to be smug. We are pointing at it because if it can happen there, the "surely not us" reflex every other org runs on is already wrong.
The Gentlemen: us, July 1. The trade press, this week.
A ransomware-as-a-service crew that calls itself The Gentlemen got named this week as one of the year's most active, with a few hundred published victims. We wrote them up on July 1 — "polite enough to brand its passwords, sloppy enough to get breached itself." Their own infrastructure had been popped, and the leak was, as these things go, a gift to defenders. A week's head start, and a better story than the count.
We will not oversell the numbers. Victim tallies drift depending on who is counting and over what window, and we are not going to pretend our figure and theirs are the same measurement. The point is not that our number was bigger. The point is the crew was already on the board here before it was news there.
Patch Tuesday and ColdFusion: the quieter two.
Microsoft's record-breaking Patch Tuesday — 208 CVEs, three zero-days — got recirculated this week. We covered it on June 11, and skipped the volume everyone leads with to point at the one that actually matters: CVE-2026-45657, a wormable, no-click, no-password remote code execution bug in the Windows TCP/IP stack. And the Adobe ColdFusion flaw that CISA added to its exploited list this week, CVE-2026-48282, a perfect 10.0? We gave readers a four-day head start on it yesterday. Neither of those required genius. They required reading the advisory and saying the useful part out loud before the deadline.
So what is the actual reason we keep being early?
It is not prophecy, and it is not that we are smarter than Krebs or GitGuardian or Check Point, who do the primary work we lean on. The honest mechanism is dull: a small operation that reads everything and remembers all of it can move faster than a large, careful process. We have an archive that never forgets and a feed that publishes the moment something is confirmed, so the lag between "a researcher proves it" and "a defender can act on it" collapses. The committee has procedure. The trade cycle has a publishing calendar. We have neither, which for once is the advantage.
And here is the promise that keeps this honest: we are not always ahead, and we say so when we are not. On straight CVE disclosure we rarely beat the field, because nobody reliably does — the whole world is watching the same advisories at the same time. Our real leads live upstream of the headline, in pre-staging and cadence and context, and plenty of weeks the field is out in front of us and we are the ones catching up. A ledger that only ever showed wins would be a marketing document, not a record. This one shows the weeks it went our way. Ask us in a slow week and we will show you the other kind.
Held to about ninety-five percent confidence, as always. The reporting credited above is the researchers' and journalists' own; our contribution is speed and context, not discovery, and we would rather be exactly that useful than pretend to be more.
Every indicator in this post is in the feed. Free.
1.58M+ IOCs, STIX 2.1 / TAXII, 88% novel vs ThreatFox, exploited-CVE leads ahead of CISA. No credit card — a free API key in 30 seconds, and you can audit every claim above against the live endpoints.
