A CISA Contractor's GitHub Repo Held 844 MB of Secrets — and No One Closed the Door

There is something almost poetic about the US government's premier cybersecurity agency — the one whose job is literally to plug holes in critical infrastructure — getting outsmarted by a contractor who treated a public GitHub repository like a digital junk drawer. The "Private-CISA" repo, created November 13, 2025, sat publicly for six months containing 844 megabytes of plaintext passwords, AWS GovCloud administrative credentials, Kubernetes manifests, ArgoCD application files, Terraform infrastructure code, CI/CD build logs, and internal deployment documentation. Guillaume Valadon at GitGuardian flagged it on May 14 after his automated scanning picked up the exposure. The commit history told the whole story in plain sight: the account owner had explicitly disabled GitHub's default secret-scanning protections, pushed plaintext credentials stored in CSV files, committed full backup archives into git history, and used easily guessed passwords like "platform-name-2026." If you want a masterclass in how not to handle secrets, this is a textbook example — and Valadon said he honestly believed it was fake before analyzing the content deeper.

The part that really sticks with me is not the leak itself — exposed credentials are an occupational hazard for anyone who has ever worked on infrastructure — it is what the repository revealed about the agency's operational posture and why this matters for every team running code in the cloud. Philippe Caturegli of Seralys validated the exposed AWS keys and found they still worked for 48 hours after the repo was taken offline. He confirmed access to CISA's internal "artifactory" — a shared package repository that would be the kind of lateral-movement backdoor every threat actor dreams of: compromise the build system, and every deployment inherits your payload. The repository also exposed the agency's Landing Zone DevSecOps environment (LZ-DSO), Kubernetes configurations, GitHub Actions workflows, and even Entra ID SAML certificates. What makes this worth paying attention to is not that a government agency made a mistake — it is that the mistake was visible, documented in commit history, and actionable for anyone who knew where to look. The real lesson is about the gap between having security tooling and actually using it: GitHub's secret detection was a toggle away, and it was turned off by design. CISA's official response so far has been the usual "no indication of compromise" boilerplate, but the agency has lost nearly a third of its workforce through forced retirements and buyouts since early this year. That kind of institutional bleeding is exactly when you expect to see security hygiene slip — and the Private-CISA repo proves it.

Source image 1

For teams running infrastructure on GitHub, the operational takeaway is blunt: enable secret scanning by default, never commit anything that contains a credential — even a test credential — and audit who has write access to your repositories. The Private-CISA repo was a contractor's scratchpad, not a production project, but that is precisely the scenario that kills organizations. The b

Source image 2

est secrets management tool is useless if someone with commit access can disable its protections and start pushing CSV files full of passwords into public view. Who on your team has the permissions to turn off secret scanning, and when was the last time someone audited what actually got committed to your organization's public repos?

Sources

• CISA Admin Leaked AWS GovCloud Keys on Github — KrebsOnSecurity
• How We Got a CISA GitHub Leak Taken Down in Under a Day — GitGuardian Blog
• Philippe Caturegli's Seralys validation of exposed AWS keys — KrebsOnSecurity