CISA Under Fire After Contractor Leaks Agency Secrets on Public GitHub Repository
Table of Contents
A security lapse at the heart of U.S. cyber defense
The Cybersecurity & Infrastructure Security Agency (CISA), the very body tasked with shielding the nation’s critical infrastructure from digital threats, is currently facing a bruising congressional inquiry. Lawmakers from both houses are demanding a full accounting of how a CISA contractor managed to publish a vast trove of agency secrets—including AWS GovCloud keys—on a public GitHub profile.
The exposure first came to light via reporting from KrebsOnSecurity, which revealed that a contractor with administrative access to the agency’s code development platform created a public repository under the name “Private-CISA.” Far from being a curated project, the repository appeared to function as a digital scratchpad, containing plaintext credentials for dozens of internal systems.
Adding to the severity of the lapse, technical analysis of the commit logs suggests the contractor didn’t just make a mistake; they actively disabled GitHub’s built-in protections designed to prevent the accidental publication of sensitive credentials in public repositories.
Congressional pushback and institutional instability
The reaction from Capitol Hill has been swift and critical. In a letter addressed to Acting Director Nick Andersen, Senator Maggie Hassan (D-NH) questioned how such a fundamental security failure could occur within an agency dedicated to preventing exactly these types of breaches.
“This reporting raises serious concerns regarding CISA’s internal policies and procedures at a time of significant cybersecurity threats against U.S. critical infrastructure,” Hassan wrote, submitting a list of a dozen targeted questions regarding the agency’s response and internal protocols.
The inquiry is not happening in a vacuum. Sen. Hassan noted that the leak coincides with a period of significant internal turmoil at CISA. The agency has seen a dramatic exodus of talent, losing more than a third of its workforce and nearly all of its senior leadership following a series of forced early retirements and buyouts during the previous administration. This “brain drain” has led critics to wonder if the agency’s operational capacity has been compromised.
Representative Bennie Thompson (D-MS), ranking member of the House Homeland Security Committee, echoed these concerns in a co-signed letter with Rep. Delia Ramirez (D-Ill). Thompson suggested the incident is symptomatic of a “diminished security culture” and an inability to manage contract support effectively, noting that adversaries from China, Russia, and Iran actively hunt for this exact type of “roadmap” to federal networks.
The struggle to contain the fallout
While CISA has maintained in a written statement that there is “no indication that any sensitive data was compromised,” third-party security researchers paint a more precarious picture. According to reports, the agency struggled for over a week to invalidate the leaked keys even after being notified by the security firm GitGuardian.
Dylan Ayrey, creator of the open-source discovery tool TruffleHog, informed KrebsOnSecurity that as recently as May 20, an RSA private key remained active. This specific key granted access to a GitHub app owned by the CISA enterprise account, providing a potential gateway to every repository in the CISA-IT organization.
The implications of such access are severe. Ayrey explained that an attacker possessing this key could read source code from private repositories, hijack CI/CD (Continuous Integration/Continuous Delivery) pipelines, and modify administrative settings, such as branch protection rules and webhooks.
Though CISA eventually invalidated the RSA key following further notifications, Ayrey noted that other leaked credentials tied to critical security technologies across the agency’s portfolio have yet to be rotated. Because cybercriminals monitor the GitHub “firehose” in real-time, there is a high probability that foreign intelligence services or criminal groups captured this data the moment it was pushed live in late April 2025.
