CISA Left Massive ‘Private’ GitHub Repo Public for Six Months, Leaking Infrastructure Secrets
Table of Contents
A Catalogue of Unsafe Practices
The U.S. Cybersecurity and Infrastructure Security Agency (CISA), the federal body tasked with safeguarding the nation’s critical digital infrastructure, spent six months leaving a goldmine of sensitive data open to the public. A GitHub repository titled “Private-CISA”—which was, in reality, anything but private—contained plain-text passwords, private keys, and infrastructure tokens, some stored in files with filenames so explicit they appeared to be a prank.
The exposure was uncovered on May 14 by Guillaume Valadon, a researcher at GitGuardian. According to Valadon, the leak was staggering in its scale, comprising roughly 844 MB of production infrastructure material. Among the most egregious finds were files named ‘external-secret-repo-creds.yaml’ and ‘AWS-Workspace-Firefox-Passwords.csv’. Valadon noted that the directory structure was so blatantly suspicious—with folders like ‘Kubernetes-Important-Yaml-Files/’ and ‘ENTRA ID – SAML Certificates/’—that he initially questioned if the entire repository was a hoax.
The Technical Fallout
The breadth of the leak provided a comprehensive roadmap of CISA’s internal environment. Valadon reported that the repository included tokens for CISA’s internal JFrog Artifactory, Azure registry keys, AWS credentials, and Kubernetes manifests. It also contained ArgoCD application files, Terraform infrastructure code, GitHub personal access tokens, and Entra ID SAML certificates.
Beyond the raw data, the repository revealed a systemic disregard for basic security hygiene. Valadon described it as a “catalogue of unsafe practices,” citing the use of plain-text password storage and the habit of committing backups directly to Git. Most alarming was the discovery of an explicit how-to guide within the repo detailing how to disable GitHub’s own secret scanning—the very tool designed to prevent this type of leak.
The human element added further risk. The committer utilized a mix of a CISA-issued contractor email and a personal Yahoo account across the same commits, while the repository itself was created via a personal GitHub account. This “mixed-identity pattern,” Valadon explained, is notoriously difficult for corporate security teams to monitor and is often the primary catalyst for high-impact leaks.
A Delayed Response
The process of closing the leak highlighted a frustrating gap in communication. After discovering the breach, Valadon initially reported the incident through the CERT/CC portal but received only an automated acknowledgement. It wasn’t until he escalated the issue by alerting security journalist Brian Krebs that CISA’s response accelerated. By 6 p.m. EST on May 15, the repository was finally taken offline.
In a statement to The Register, a CISA spokesperson acknowledged the report and stated that the agency is investigating. “Currently, there is no indication that any sensitive data was compromised as a result of this incident,” the agency claimed.
The Risk Profile
While CISA maintains that no data was compromised, the potential for damage was immense. Valadon argued that the various secrets in the repository, when combined, covered a full spectrum of attack vectors—ranging from immediate ransomware extortion to the more dangerous prospect of long-term, silent persistence within CISA’s build and deployment pipeline.
Whether other actors discovered the repo before GitGuardian remains an open question. While the absence of public forks suggests the data wasn’t widely circulated on the dark web, only GitHub possesses the logs necessary to confirm who accessed the files. For an agency currently grappling with budget cuts and staffing shortages, this incident serves as a stark reminder that the biggest vulnerability in cybersecurity is often the human element.
