Lawmakers in both houses of Congress are demanding answers from the U.S. Cybersecurity & Infrastructure Security Agency (CISA) after KrebsOnSecurity reported this week that a CISA contractor intentionally published AWS GovCloud keys and a vast trove of other agency secrets on a public GitHub account. The inquiry comes as CISA is still struggling to contain the breach and invalidate the leaked credentials.
On May 18, KrebsOnSecurity reported that a CISA contractor with administrative access to the agency’s code development platform had created a public GitHub profile called “Private-CISA” that included plaintext credentials to dozens of internal CISA systems. Experts who reviewed the exposed secrets said the commit logs for the code repository showed the CISA contractor disabled GitHub’s built-in protection against publishing sensitive credentials in public repos.
CISA acknowledged the leak but has not responded to questions about the duration of the data exposure. However, experts who reviewed the now-defunct Private-CISA archive said it was originally created in November 2025, and that it exhibits a pattern consistent with an individual operator using the repository as a working scratchpad or synchronization mechanism rather than a curated project repository.
In a written statement, CISA said “there is no indication that any sensitive data was compromised as a result of the incident.” But in a May 19 a letter (PDF) to CISA’s Acting Director Nick Andersen, Sen. Maggie Hassan (D-NH) said the credential leak raises serious questions about how such a security lapse could occur at the very agency charged with helping to prevent cyber breaches.
“This reporting raises serious concerns regarding CISA’s internal policies and procedures at a time of significant cybersecurity threats against U.S. critical infrastructure,” Sen. Hassan wrote.
A May 19 letter from Sen. Margaret Hassan (D-NH) to the acting director of CISA demanded answers to a dozen questions about the breach.
Sen. Hassan noted that the incident occurred against the backdrop of major disruptions internally at CISA, which lost more than a third of it workforce and almost all of its senior leaders after the Trump administration forced a series of early retirements, buyouts, and resignations across the agency’s various divisions.
Rep. Bennie Thompson (D-MS), the ranking member on the House Homeland Security Committee, echoed the senator’s concerns.
“We are concerned that this incident reflects a diminished security culture and/or an inability for CISA to adequately manage its contract support,” Thompson wrote in a May 19 letter to the acting CISA chief that was co-signed by Rep. Delia Ramirez (D-Ill), the ranking member of the panel’s Subcommittee on Cybersecurity and Infrastructure Protection. “It’s no secret that our adversaries — like China, Russia, and Iran — seek to gain access to and persistence on federal networks. The files contained in the ‘Private-CISA’ repository provided the information, access, and roadmap to do just that.”
KrebsOnSecurity has learned that more a week after CISA was first notified of the data leak by the security firm GitGuardian, the agency is still working to invalidate and replace many of the exposed keys and secrets.
On May 20, KrebsOnSecurity heard from Dylan Ayrey, the creator of TruffleHog, an open-source tool for discovering private keys and other secrets buried in code hosted at GitHub and other public platforms. Ayrey said CISA still hadn’t invalidated an RSA private key exposed in the Private-CISA repo that granted access to a GitHub app which is owned by the CISA enterprise account and installed on the CISA-IT GitHub organization with full access to all code repositories.
“An attacker with this key can read source code from every repository in the CISA-IT organization, including private repos, register rogue self-hosted runners to hijack CI/CD pipelines and access repository secrets, and modify repository admin settings including branch protection rules, webhooks, and deploy keys,” Ayrey told KrebsOnSecurity. CI/CD stands for Continuous Integration and Continuous Delivery, and it refers to a set of practices used to automate the building, testing and deployment of software.
KrebsOnSecurity notified CISA about Ayrey’s findings on May 20. Ayrey said CISA appears to have invalidated the exposed RSA private key sometime after that notification. But he noted that CISA still hasn’t rotated leaked credentials tied to other critical security technologies that are deployed across the agency’s technology portfolio (KrebsOnSecurity is not naming those technologies publicly for the time being).
CISA responded with a brief written statement in response to questions about Ayrey’s findings, saying “CISA is actively responding and coordinating with the appropriate parties and vendors to ensure any identified leaked credentials are rotated and rendered invalid and will continue to take appropriate steps to protect the security of our systems.”
Ayrey said his company Truffle Security monitors GitHub and a number of other code platforms for exposed keys, and attempts to alert affected accounts to the sensitive data exposure(s). They can do this easily on GitHub because the platform publishes a live feed which includes a record of all commits and changes to public code repositories. But he said cybercriminal actors also monitor these public feeds, and are often quick to pounce on API or SSH keys that get inadvertently published in code commits.
The Private-CISA GitHub repo exposed dozens of plaintext credentials to important CISA GovCloud resources.
In practical terms, it is likely that cybercrime groups or foreign adversaries also noticed the publication of these CISA secrets, the most egregious of which appears to have happened in late April 2026, Ayrey said.
“We monitor that firehose of data for keys, and we have tools to try to figure out whose they are,” he said. “We have evidence attackers monitor that firehose as well. Anyone monitoring GitHub events could be sitting on this information.”
James Wilson, the enterprise technology editor for the Risky Business security podcast, said organizations using GitHub to manage code projects can set top-down policies that prevent employees from disabling GitHub’s protections against publishing secret keys and credentials. But Wilson’s co-host Adam Boileau said it’s not clear that any technology could stop employees from opening their own personal GitHub account and using it to store sensitive and proprietary information.
“Ultimately, this is a thing you can’t solve with a technical control,” Boileau said on this week’s podcast. “This is a human problem where you’ve hired a contractor to do this work and they have decided of their own volition to use GitHub to synchronize content from a work machine to a home machine. I don’t know what technical controls you could put in place given that this is being done presumably outside of anything CISA managed or even had visibility on.”
Update, 3:05 p.m. ET: Added statement from CISA. Corrected a date in the story (Truffle Security said it found the repo gained some of its most sensitive secrets in late April 2026, not 2025).
GitHub Enterprise Supports HTTP Header Injection of your GHE Org ID at a corporate (or government) proxy to enforce/prevent personal or non-managed Enterprise GitHub Users from being able to exfiltrate or commit any code/files/documents from the corporate environment. This is part of the GHE hardening guide on blocking personal accounts (restricting-access-to-githubcom-using-a-corporate-proxy)
Does this indicate CISA has not hardened their GHE org or does this indicate that Contractors for CISA aren’t restricted by such simple things like Private Access Clients or Proxies?
Who put the keystone cops in charge. JFC
You vote for a clown.
You get what you fkn deserve.
That is true. Just like the last guy.
Except this wasn’t the last guy.
Did the last guy terminate CISA senior management and reduce staff by a third or was it your guy and Musk?
Very true. Just like that last guy.
This is plain (rhymes with “he carded”).
Has anyone tried to determine if anyone actually accessed or used any of the credentials or keys or modified any code, configs or libraries? Or determine if CISA’s contractor even capable of doing the assessment?
If the guy from Truffle Security saw them, it’s smart to assume the Russians, Chinese, Iranians, etc. saw them too.
The two primary points here are 1) Security lapses can happen to anyone 2) Humans are always the weakest link. That’s all. Learn from it. Move on.
You forgot 3) don’t purge reliable employees and hire unqualified contractors to do national security work.
Also they are a government agency so probably constrained in budget like everyone to solve problems they know need solving. This is where public private partnership could be shining with Fortune 500. Why do development if you will never afford the tools and procedures of multi-billion dollar enterprises.
Be sure to pop back when the next corporate breach happens to one of those Fortune 500 companies, OK?
I thought a snippet of this was posted on x-twitter but now I can’t find it and I can’t find the Krebs on Security account….
This is disturbing in more than one way. Surely we are disturbed by all those PII records being disclosed. But, I believe that the more insidious long range problem is the hollowing out of the federal civil workforce. Those are the people that checked compliance with a gazillion federal cyber security requirements. Problem is that they were all fired or quit spring last year.
So what now? Who is to protect us? Pete Hegseth? Give me a break. All that hyper testosterone addled nonsense he spews about war fighting.
This is war and o’l Pete cain’t do anything about it.
The incompetence of this administration is just amazing. I mean what else do you expect when you purge the system of the seasoned professionals and replace it with money-grabbing yes-men?
Although, I disagree with the statement that the U.S. adversaries may benefit from this leak. They don’t need to. They have a much easier avenue to get a much juicier hunk of information from the commander in chief himself and from most of his staff directly. Look at the current actions of this administration. Don’t they act as ruzzian agents? They don’t even hide it. So why sieve through the trove of the leaked data when you can buy into his crypto coin and he’ll give you access himself?
“a CISA contractor with administrative access to the agency’s code development platform had created a public GitHub profile called “Private-CISA” that included plaintext credentials to dozens of internal CISA systems…the commit logs for the code repository showed the CISA contractor disabled GitHub’s built-in protection against publishing sensitive credentials in public repos.”
How can this be seen as anything other than intentional? And I find your partisan slant amusing. I am no fan of whatever two-faced criminals occupy “our” government, so I am am non-partisan when I ask who was President when Snowden did his thing?
Snowden did it. Of course! We’ve all been paying attention to a powerless president instead, fools we are.
I’ve always been a fan of Krebs & this is what happens when you remove Krebs from CISA & govt security! Chris Krebs is a God among men!
“created a public GitHub profile called “Private-CISA” ” This statement alone is enough to show it was intentional
No one in this business is that incompetent. Person who created this should be prosecuted to the fullest extent of the law.
TDS is real, and there are people out there who would cripple America if it meant making Trump look bad.
I do not care your politics, if Trump fails, America fails,
No, Trump failed and has no concept nor concern about security. Those are separate concepts.
Being dumb is a choice more than not.
It’s actually quite astounding to see magats like you excuse pedophilia or fascism by just exclaiming “but whatabout democrats?”.
Learn some god damn critical thinking. You voted for a:
PEDOPHILE
FASCIST
RAPIST
CRIMINAL
He is literally enriching himself and his family with your tax dollars in plain sight while tearing down the White House and rebuilding it in his literal image. Hell, the Christians offered up a literal golden statue in direct violation of their “holy text”.
You dumbasses are beyond reconciling with.
This is a very interesting and detailed report on the CISA data leak. Thank you for the much-needed transparency and investigative journalism.