CISA Credentials Leaked on Public GitHub Repo

In a significant security incident that underscores the critical importance of proper credential management, America's Cybersecurity and Infrastructure Security Agency (CISA) has suffered a major breach of sensitive administrative credentials. Security researcher Brian Krebs recently reported that the federal agency inadvertently exposed a substantial collection of plaintext passwords, SSH private keys, authentication tokens, and other sensitive CISA assets through a publicly accessible GitHub repository. The exposure has been active for an extended period, with evidence suggesting the repository remained visible to the public since at least November 2025.

The discovery of this credential exposure incident highlights a troubling gap between the security responsibilities expected of a government cybersecurity agency and the actual operational practices being employed. The repository in question was named "Private-CISA," which demonstrates an ironic disconnect between the intended purpose—keeping materials private—and the actual outcome of making sensitive information publicly available. The repository has since been taken offline, but not before potentially being discovered and exploited by malicious actors during the months it remained accessible.

The alert regarding the compromised repository originated from GitGuardian, a company specializing in secret detection and code security solutions. Guillaume Valadon, a researcher at GitGuardian, discovered the exposed repository through the company's continuous public code scanning operations. Valadon's discovery mechanism represents the type of automated surveillance that identifies security failures before human administrators become aware of them. After discovering the breach, Valadon attempted to contact the repository's owner directly, but received no response from CISA representatives regarding the exposed credentials.

According to correspondence between Valadon and Krebs, the situation became significantly more troubling upon examination of the repository's commit history. Evidence from the git logs demonstrates that GitHub's built-in secret protection mechanisms—features specifically designed to prevent developers from accidentally committing sensitive information—had been deliberately disabled by the repository's administrator. This suggests the breach was not merely an oversight but rather a deliberate circumvention of the very safeguards that GitHub provides to protect against exactly this type of security failure.

The implications of this AWS GovCloud credential breach are substantial for federal security infrastructure. The exposed credentials included authentication tokens for AWS GovCloud services, which means potential unauthorized access to cloud infrastructure used by the federal government. SSH private keys, if compromised, could enable attackers to access remote systems directly. Plaintext passwords stored in source code repositories represent a fundamental violation of security best practices and create multiple pathways for unauthorized access to critical systems.

This incident raises serious questions about the security culture and training practices within CISA, an organization that bears significant responsibility for advising other federal agencies and private sector entities on cybersecurity matters. The organization's own security failures undermine its credibility as a trusted authority on infrastructure security practices. When the agency tasked with protecting America's critical infrastructure cannot secure its own credentials, it raises concerns about the effectiveness of its guidance to other organizations.

The timeline of the exposure is particularly concerning, as the credentials remained accessible for months before being discovered and reported. During this window, multiple opportunities existed for various threat actors—from individual hackers to sophisticated nation-state entities—to access and exploit the exposed secrets. The actual scope of the breach remains unclear, as determining whether the credentials were discovered and used by unauthorized parties is notoriously difficult.

GitHub's secret protection features, which were disabled in this case, function as a critical last line of defense against developer credential mistakes. These protections alert users when they attempt to commit certain patterns commonly associated with secrets, such as AWS keys, private cryptographic keys, or authentication tokens. By disabling these protections, the repository administrator removed a fundamental safeguard designed specifically for scenarios where human vigilance might fail.

The incident exemplifies a broader pattern of security failures in government technology practices. Despite significant investment in cybersecurity infrastructure and the establishment of specialized agencies like CISA, basic operational security measures are sometimes overlooked or actively circumvented. This gap between security responsibilities and actual security practices represents an ongoing challenge for federal information security programs.

In response to the disclosure, CISA has since removed the compromised repository from public access. However, the long-standing nature of the exposure means that any credentials contained within may already be compromised and require immediate rotation. Organizations handling credentials in similar manners face comparable risks, and this incident serves as a cautionary tale about the dangers of disabling security protections designed to prevent exactly these types of failures.

The broader security community has emphasized the importance of treating secrets management with the utmost seriousness. Environment variables, configuration files, and secret management systems should be utilized to keep credentials separate from source code. Additionally, principles of least privilege ensure that even if credentials are compromised, the potential damage is minimized through restricted access permissions.

This incident reinforces the critical need for organizations at all levels of government and industry to maintain rigorous security practices, including regular audits of repository access controls, disabling of security protection mechanisms, and credential management practices. The consequences of failing to follow these basic security hygiene practices can be severe, particularly for organizations with responsibility for protecting critical national infrastructure security interests.