CISA Left Secret GitHub Repo Public for Six Months, Leaking Passwords and AWS Keys
Table of Contents
A ‘Catalogue of Unsafe Practices’
The agency tasked with securing the United States’ critical infrastructure recently managed to do the one thing it warns every organization against: leaving a treasure trove of sensitive credentials in a public GitHub repository. For six months, a repository titled “Private-CISA” was accessible to anyone with an internet connection, containing plain-text passwords, private keys, and infrastructure tokens.
The breach was discovered by Guillaume Valadon, a researcher at GitGuardian. According to Valadon, the repository wasn’t just a minor slip; it was a comprehensive mapping of CISA’s internal environment. The leak included 844 MB of production infrastructure material, featuring file names that were almost alarmingly explicit, such as external-secret-repo-creds.yaml and AWS-Workspace-Firefox-Passwords.csv.
Valadon, who previously worked at ANSSI (the French equivalent of CISA), noted that the scale of the exposure was severe. The repository contained tokens for CISA’s internal JFrog Artifactory, Azure registry keys, AWS credentials, Kubernetes manifests, and Entra ID SAML certificates. Essentially, it provided a roadmap and the keys to the kingdom for anyone looking to infiltrate the agency’s build and deployment pipelines.
The Mechanics of the Leak
The discovery highlights a series of systemic failures in basic security hygiene. Valadon reported that the repository was a “catalogue of unsafe practices,” where passwords were stored in plain text and backups were committed directly to Git. Most concerningly, the repo contained an explicit guide on how to disable GitHub’s own secret scanning—the very tool designed to prevent this type of disaster.
The leak also revealed a worrying lapse in identity management. The committer used a combination of a CISA-issued contractor email and a personal Yahoo email account, while the repository itself was created via a personal GitHub account. This “mixed-identity pattern,” as Valadon describes it, is a frequent blind spot for enterprise security teams and a primary driver of high-impact leaks.
The Response and Aftermath
The timeline of the cleanup suggests that official channels were slow to react. Valadon initially reported the leak through the CERT/CC portal on May 14, but only received an automated acknowledgement. It wasn’t until he alerted security journalist Brian Krebs that the agency’s response accelerated. By 6 p.m. EST the following day, the repository was taken offline.
A spokesperson for CISA confirmed the agency was aware of the report and is investigating the incident, asserting that there is currently “no indication that any sensitive data was compromised.” While GitGuardian has not seen evidence of these credentials being used in active attacks, the potential for long-term persistence within the network remains a primary concern.
The incident comes at a precarious time for CISA. The agency has been grappling with significant budget cuts and staff reductions, and it has operated without a permanent director since the start of the Trump administration. For an organization that serves as the gold standard for cybersecurity guidance, this lapse serves as a stark reminder that even the most sophisticated defenders can fall victim to simple configuration errors.
