The Cybersecurity and Infrastructure Security Agency says a contractor left internal agency credentials in a public GitHub repository for nearly six months, exposing AWS GovCloud keys and plaintext passwords before outside researchers and a reporter forced the issue into the right inbox.
The incident matters because CISA is the U.S. government’s lead civilian cyber agency, and the failure mode was painfully ordinary: secrets committed to code, weak discovery, unclear reporting paths, and a rotation process that took longer than it should have.
According to CISA’s postmortem, published by acting chief information officer Preston Werntz and acting chief information security officer Brad Libbey, the agency received notice in May 2026 about a public GitHub repository named “Private CISA.” Security firm GitGuardian had identified the repository and sought help notifying the agency.
KrebsOnSecurity reported that the repository contained 844 MB of sensitive CISA-related material. One file, named “importantAWStokens,” held administrative credentials for three Amazon AWS GovCloud servers. Another, “AWS-Workspace-Firefox-Passwords.csv,” contained plaintext usernames and passwords for dozens of internal CISA systems.
CISA acknowledged the warning quickly, according to KrebsOnSecurity, but took more than 48 hours to revoke the AWS keys and other exposed secrets. In its own report, CISA said the rotation work was slowed by the complexity of its systems and their connections to federal and industry partners.
The agency said the episode showed why organizations need mature, tested key management, rather than a spreadsheet-and-prayers approach to emergency credential replacement.
Reporting paths failed before the keys were rotated
CISA also admitted that its process for receiving outside security reports was not clear enough. Werntz and Libbey wrote that the researcher tried several routes, including contacting the contractor, using CISA’s vulnerability disclosure platform, and eventually involving a reporter. The agency said that platform is intended for vulnerabilities affecting the broader cybersecurity community, not necessarily reports about CISA’s own infrastructure.
CISA said it is improving those channels so researchers can report problems faster. The agency also said organizations should publish reporting instructions in multiple visible places, because many researchers look for a security.txt file but may need a more direct route for incidents involving the organization itself.
GitGuardian researcher Guillaume Valadon, who first contacted KrebsOnSecurity about the credentials, wrote that CISA had ignored nine automated alerts before the May 15 notification. GitGuardian scans public repositories, including GitHub, for exposed secrets and sends alerts to affected accounts.
Valadon argued that unanswered notifications can turn a brief mistake into a months-long exposure. He also said reports about an organization’s own infrastructure should not be dumped into a product bug queue.
CISA says logs showed no customer or mission data exposure
CISA said it has now rotated all exposed secrets and created an action plan to improve how developer secrets are managed and monitored. The agency’s postmortem also said its incident response playbook did not cover GitHub or similar cloud services, despite covering cybersecurity incidents more generally.
Valadon said the case supports continuous scanning of public repositories, rather than periodic checks. He wrote that ongoing monitoring found the public repository, while better internal scanning might have caught plaintext passwords and backups before they were published.
CISA said several existing controls helped it assess damage, including detailed logging and zero-trust practices in production and development environments. The agency said those logs showed no customer or mission data was exposed and that the leaked credentials were not used outside CISA environments. CISA also said it revoked the contractor’s system access.
Valadon praised the agency for publishing the postmortem and for publicly endorsing secrets scanning and simpler researcher reporting paths. That transparency does not make the leak less embarrassing, but it does give other security teams a concrete checklist: scan continuously, route reports correctly, and practice rotating keys before the fire starts.
This story draws on original reporting from Krebs on Security.