Mon 06 Jul 2026 / 15:56 ET
Kernel
Security 3 min read

Congress presses CISA over GitHub leak as key rotation drags on

Sen. Maggie Hassan and House Democrats want answers after credentials for CISA systems were exposed through a contractor’s public GitHub account.

Mara Chen-Doyle

By Mara Chen-Doyle / Staff Writer

Members of Congress are pressing the Cybersecurity and Infrastructure Security Agency for answers after a contractor with administrative access to CISA’s code development environment allegedly exposed agency credentials in a public GitHub account.

The scrutiny follows reporting by KrebsOnSecurity that a contractor created a public GitHub profile named Private-CISA containing plaintext secrets for dozens of internal CISA systems, including AWS GovCloud-related credentials. Security experts who examined the repository told KrebsOnSecurity that its commit history showed GitHub’s built-in secret-scanning protection had been turned off for the public repo.

CISA has acknowledged the incident. In a written statement, the agency said it had “no indication that any sensitive data was compromised as a result of the incident.” The agency has not said how long the data was exposed, according to KrebsOnSecurity. Experts who reviewed the now-removed archive said it appeared to have been created in November 2025 and looked less like a formal project than a personal scratchpad or sync location.

Lawmakers want the incident explained

Sen. Maggie Hassan, Democrat of New Hampshire, sent a May 19 letter to acting CISA Director Nick Andersen asking how the lapse happened at the agency responsible for helping federal and critical-infrastructure operators avoid exactly this kind of failure.

Hassan wrote that the reporting raised “serious concerns” about CISA’s internal controls during a period of major cyber threats against U.S. critical infrastructure. She also pointed to turmoil inside the agency after Cybersecurity Dive reported CISA had lost more than a third of its workforce and nearly all senior leaders following early retirements, buyouts and resignations under the Trump administration.

House Democrats sent their own letter the same day. Rep. Bennie Thompson of Mississippi, the ranking Democrat on the House Homeland Security Committee, and Rep. Delia Ramirez of Illinois, the ranking Democrat on its cybersecurity subcommittee, wrote that the incident may show a weakened security culture or a failure to supervise contractor support.

Thompson and Ramirez said the Private-CISA files offered “information, access, and roadmap” that foreign adversaries including China, Russia and Iran seek for federal networks.

Some credentials reportedly stayed live

KrebsOnSecurity reported that CISA was still invalidating and replacing exposed secrets more than a week after security firm GitGuardian first notified the agency.

Dylan Ayrey, creator of the open-source secret-scanning tool TruffleHog, told KrebsOnSecurity on May 20 that an RSA private key exposed in the repository still worked at that point. Ayrey said the key granted access to a GitHub app owned by CISA’s enterprise account and installed on the CISA-IT GitHub organization with full access to its code repositories.

According to Ayrey, a person holding that key could read private source code in the CISA-IT organization, register rogue self-hosted runners to interfere with continuous integration and delivery pipelines, reach repository secrets, and alter administrative settings such as branch protection rules, webhooks and deploy keys.

KrebsOnSecurity said it notified CISA of Ayrey’s findings on May 20. Ayrey later said the RSA key appeared to have been revoked after that notification, but that other leaked credentials tied to security technologies used across CISA still had not been rotated. KrebsOnSecurity said it was withholding the names of those technologies.

CISA said in a written response that it is “actively responding and coordinating with the appropriate parties and vendors” to rotate and invalidate any exposed credentials and protect its systems.

Ayrey said Truffle Security monitors GitHub and other code platforms for exposed secrets by watching public event feeds. That same public stream is useful to attackers. Once a key lands in a public commit, defenders are racing people who do not need a warrant, a meeting, or a ticketing queue.

This story draws on original reporting from Krebs on Security.

More Security/

view all ↗