CISA Exposed Production Secrets in Public GitHub Repo for Six Months
Table of Contents
A Critical Lapse in the Nation’s Watchdog
The agency tasked with securing the United States’ most critical digital infrastructure has spent the last half-year inadvertently leaving its own back door open. The Cybersecurity and Infrastructure Security Agency (CISA) left a public GitHub repository, aptly named “Private-CISA,” exposed to the open web for six months, containing a treasure trove of plain-text passwords, private keys, and administrative tokens.
The leak was discovered by Guillaume Valadon, a researcher at GitGuardian, on May 14. According to Valadon, the repository contained roughly 844 MB of production infrastructure material. The filenames were not obscured; instead, they were labeled with a level of transparency that Valadon described as almost surreal, featuring files such as AWS-Workspace-Firefox-Passwords.csv and external-secret-repo-creds.yaml.
A Roadmap for Attackers
The breadth of the exposed data suggests a potential systemic failure in how the agency manages its cloud environments. Valadon, who previously served at ANSSI—the French equivalent of CISA—noted that the repository acted as a “catalogue of unsafe practices.” Among the leaked assets were tokens for CISA’s internal JFrog Artifactory, Azure registry keys, AWS credentials, Kubernetes manifests, and Entra ID SAML certificates.
Perhaps most damning was the discovery of an explicit how-to guide within the repository detailing how to disable GitHub’s own secret scanning—a feature designed specifically to prevent this type of accidental exposure.
“Each category of secret in the repository unlocks a specific attack path,” Valadon explained. He noted that while individual keys are dangerous, the combination of these assets allows for a full spectrum of attacks, ranging from ransomware extortion to the far more insidious goal of long-term persistence within CISA’s build and deployment pipelines.
Slow Response and High Stakes
The timeline of the disclosure highlights a friction point between federal bureaucracy and the speed of cybersecurity reporting. Valadon initially reported the leak via the CERT/CC portal but received only an automated acknowledgment. It was only after he escalated the situation by alerting security journalist Brian Krebs that the agency moved decisively. By 6 p.m. EST on May 15, the repository was taken offline.
A CISA spokesperson acknowledged the report and stated that the agency is currently investigating. In a statement to The Register, the agency maintained that there is “no indication that any sensitive data was compromised as a result of this incident.” While GitHub’s public event logs do not show that the repository was forked, which suggests it may not have been widely circulated on the dark web, that does not preclude the possibility that sophisticated actors discovered it silently.
The Human Element of the Breach
The technical failure was compounded by poor identity management. Valadon observed a “mixed-identity pattern” where the committer used both a CISA-issued contractor email and a personal Yahoo email within the same set of commits. Furthermore, the repository was created using a personal GitHub account rather than an enterprise-managed organization.
This lapse comes at a precarious time for CISA. The agency has struggled with leadership stability and has faced significant budget cuts and staffing reductions over the last year. For an organization that spends its days advising the private sector on “cyber hygiene,” the discovery of Important AWS Tokens.txt sitting in a public folder is an embarrassing contradiction that underscores the difficulty of securing modern, API-driven infrastructure.
