Lawmakers on Capitol Hill are demanding answers from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) after a contractor allegedly published AWS GovCloud keys and a trove of internal credentials to a public GitHub repository, forcing the agency into an ongoing scramble to contain the fallout. The exposure, first detailed by KrebsOnSecurity, has raised uncomfortable questions about how the federal government’s lead cyber defense agency manages its own sensitive access keys and contractor oversight.
According to the KrebsOnSecurity report, a CISA contractor with administrative access to the agency’s software development environment created a public GitHub profile dubbed “Private-CISA” and populated it with plaintext credentials for dozens of internal systems, including AWS GovCloud resources. Experts who reviewed the now-defunct repository told the outlet that commit logs suggested the contractor had explicitly disabled GitHub’s built‑in protections designed to block secret keys from being pushed to public repos. GitHub’s secret scanning feature can automatically detect many such exposures, but only if it is enabled and not overridden.
CISA has acknowledged the incident and said in a written statement that “there is no indication that any sensitive data was compromised as a result of the incident,” but it has not publicly clarified how long the credentials were exposed or how many systems they touched. In a May 19 letter to acting CISA Director Nick Andersen, Sen. Maggie Hassan (D‑N.H.) pressed the agency for detailed timelines and remediation steps, warning that the leak “raises serious concerns regarding CISA’s internal policies and procedures at a time of significant cybersecurity threats against U.S. critical infrastructure.” A separate letter from Rep. Bennie Thompson (D‑Miss.), the ranking member on the House Homeland Security Committee, co‑signed by Rep. Delia Ramirez (D‑Ill.), argued the episode may reflect “a diminished security culture and/or an inability for CISA to adequately manage its contract support,” noting that adversaries such as China, Russia and Iran routinely seek footholds on federal networks.
The GitHub exposure was initially flagged to CISA by secrets‑detection company GitGuardian, whose platform scans public code repositories for hard‑coded keys and other sensitive data and alerts owners to potential leaks according to its documentation. Yet more than a week after those alerts, many of the exposed keys reportedly remained valid. Dylan Ayrey, creator of the open‑source TruffleHog tool and CEO of Truffle Security, told KrebsOnSecurity that his team found an RSA private key in the “Private‑CISA” repo that granted access to a GitHub App owned by CISA’s enterprise account and installed on the “CISA‑IT” GitHub organization with full access to all of its repositories. With that key, he warned, an attacker could read source code from every private repo in the organization, register rogue self‑hosted runners to hijack CI/CD pipelines, extract additional repository secrets and alter critical administrative settings.
Ayrey said Truffle Security and other defenders continuously monitor GitHub’s live event stream for exposed secrets, but so do criminal and nation‑state actors. Once a commit hits the public feed, keys can be discovered and abused within minutes, even if the repository is later deleted. While there is no public evidence that the leaked CISA credentials have been exploited, Ayrey cautioned that the sensitivity and prominence of the agency make it likely that sophisticated threat actors would have noticed the exposure, particularly given the presence of high‑value GovCloud access keys. The apparent lag in revoking and rotating all affected credentials only heightens the risk that some of those secrets could have been quietly harvested.
Security practitioners say the episode underscores both the value and the limits of technical controls. James Wilson, enterprise technology editor for the “Risky Business” security podcast, noted that organizations can enforce top‑down GitHub policies that prevent users from disabling secret‑scanning protections and restrict where corporate code may be hosted. But his co‑host Adam Boileau argued that no set of controls can fully prevent an individual from opening a personal GitHub account and misusing it as a synchronization scratchpad for sensitive work data, calling the CISA situation “a human problem” of contractor behavior occurring outside official tooling. Their comments highlight a broader tension: at the same time CISA is urging vendors to embrace “secure by design” principles in their own development environments, the agency is now being pressed to show it can apply the same rigor internally.
The scrutiny comes amid wider concerns about CISA’s internal security practices, including a separate incident in which acting CISA Director Madhu Gottumukkala uploaded sensitive contracting documents into a public version of ChatGPT, prompting a Department of Homeland Security review according to Tyfone and Politico. For federal agencies and private‑sector defenders alike, the GitHub leak serves as a pointed reminder that securing CI/CD pipelines and cloud control planes requires not only robust technical guardrails—such as enforced secret scanning, least‑privilege access for contractors and aggressive key rotation—but also a security culture that treats hard‑coded credentials and “scratchpad” repos as existential risks rather than mere process violations.
