A Contractor Exposes the Nation's Cyber Defense Agency
A contractor working for the Cybersecurity and Infrastructure Security Agency intentionally published AWS GovCloud keys and a vast trove of internal agency secrets on a public GitHub repository named Private-CISA. The repository, originally created in November 2025, contained plaintext credentials to dozens of internal CISA systems, including administrative keys for multiple AWS GovCloud accounts.
The breach is among the most significant government data exposures in recent memory, not only because of the credentials themselves but because the repository also documented how CISA builds, tests, and deploys software internally. An attacker with this information would have a detailed roadmap for compromising the agency responsible for defending the nation's critical infrastructure.
What Was Exposed
The repository contained files with revealing names that made plain the scope of the exposure. AWS-Workspace-Firefox-Passwords.csv contained browser passwords. Important AWS Tokens.txt held credentials that security experts said could authenticate to three AWS GovCloud accounts at high privilege. Kube-config.txt exposed Kubernetes cluster configuration. The repository also contained an internal artifactory, a code package repository that could have allowed an attacker to inject backdoors into software distributed across CISA systems.
Perhaps most concerning, the commit logs showed that the contractor had disabled GitHub's built-in secret detection feature, which automatically blocks the publication of sensitive credentials. This was not an accident. This was intentional.
The Congressional Response
Senator Maggie Hassan of New Hampshire sent a letter to CISA's Acting Director Nick Andersen on May 19 demanding answers to a dozen questions about the incident. Her letter noted that the leak occurred against the backdrop of major internal disruptions at CISA, which had lost more than a third of its workforce and almost all of its senior leaders after the Trump administration forced early retirements, buyouts, and resignations.
Representatives Bennie Thompson of Mississippi and Delia Ramirez of Illinois sent a joint letter the same day. "We are concerned that this incident reflects a diminished security culture and/or an inability for CISA to adequately manage its contract support," they wrote. "It is no secret that our adversaries like China, Russia, and Iran seek to gain access to and persistence on federal networks. The files contained in the Private-CISA repository provided the information, access, and roadmap to do just that."
Technical Failures Compound the Risk
The incident continued to unfold after the initial disclosure. Dylan Ayrey, the creator of the TruffleHog secret detection tool, reported on May 20 that CISA had still not invalidated an RSA private key granting full access to a GitHub app owned by the CISA enterprise account. As Ayrey explained, "An attacker with this key can read source code from every repository in the CISA-IT organization, including private repos, register rogue self-hosted runners to hijack CI/CD pipelines and access repository secrets, and modify repository admin settings including branch protection rules, webhooks, and deploy keys."
KrebsOnSecurity notified CISA of Ayrey's findings, and the agency appears to have invalidated that key after notification. However, CISA still had not rotated leaked credentials tied to other critical security technologies deployed across the agency at the time of reporting. CISA's public statement said "there is no indication that any sensitive data was compromised as a result of the incident," a claim that security experts met with skepticism given that GitHub publishes a live feed of all changes to public repositories that malicious actors monitor continuously.
A Human Problem Technology Cannot Solve Alone
Security commentator Adam Boileau of the Risky Business podcast offered a sobering assessment. "Ultimately, this is a thing you cannot solve with a technical control," he said. "This is a human problem where you have hired a contractor to do this work and they have decided of their own volition to use GitHub to synchronize content from a work machine to a home machine." Organizations can set policies to prevent disabling GitHub's secret protection features, but that does not stop contractors from using personal accounts outside the agency's visibility.
For enterprise security teams, the CISA incident offers a stark reminder that administrative access controls, monitoring, and contractor management are not just compliance exercises. They are critical safeguards against human error and intentional misconduct. The same dynamics play out in every organization that relies on contractors for sensitive work, and the consequences of failure can be severe.
