The Breach
In a stunning lapse of basic security hygiene, the US Cybersecurity and Infrastructure Security Agency (CISA) — the very organization tasked with defending America’s digital infrastructure — left a public GitHub repository wide open for approximately six months. The repository, ironically named “Private-CISA,” contained 844 MB of sensitive production infrastructure material, including plain-text passwords, private keys, authentication tokens, and cloud credentials. The file names themselves were brazen red flags: “external-secret-repo-creds.yaml,” “AWS-Workspace-Firefox-Passwords.csv,” “Important AWS Tokens.txt,” and “CAWS GitHub Token.txt,” among others.
Who Found It and What Was Inside
GitGuardian researcher Guillaume Valadon, a former nine-year veteran of France’s cybersecurity agency ANSSI, discovered the exposed repository on May 14, 2026, fresh off a conference talk on Kubernetes secret leaks. Valadon told The Register he “quickly understood that the leak was bad” and that the situation was as serious as secrets leaks get. His investigation revealed a comprehensive catalogue of compromised credentials including tokens for CISA’s internal JFrog Artifactory, Azure registry keys, AWS credentials, Kubernetes manifests, ArgoCD application files, Terraform infrastructure code, GitHub personal access tokens, and Entra ID SAML certificates. In short — a master key ring to CISA’s build and deployment pipeline.
A Catalogue of Unsafe Practices
Valadon described the repository as a “catalogue of unsafe practices.” Among the most alarming findings: passwords stored in plain text, production backups committed directly to Git, and — perhaps most embarrassingly — an explicit how-to guide for disabling GitHub’s own secret scanning feature. The repository’s directory structure left nothing to the imagination, with folders named “Backup-April-2026/”, “All Backups/”, and “Kubernetes-Important-Yaml-Files/”. To add another layer of risk, the committer used both a CISA-issued contractor email and a personal Yahoo email across the same commits, and created the repository through a personal GitHub account — a “mixed-identity pattern” that Valadon flagged as one of the hardest attack surfaces for security teams to monitor.
The Response and Takedown
Valadon reported the exposure through the CERT/CC portal on May 14. By the morning of May 15 — a Friday — he had received only an automated acknowledgment. Concerned about the lack of urgency, he escalated by alerting security journalist Brian Krebs, whose coverage appeared to accelerate CISA’s internal response. By 6 PM EST that same day, the repository was taken offline — just 26 hours after initial discovery. CISA issued a statement confirming awareness of the incident and noting that “there is no indication that any sensitive data was compromised.” Valadon credited CISA for acting swiftly once pressure mounted, noting that most responsible disclosures take far longer to resolve.
The Bigger Picture
While CISA acted quickly, the broader implications are deeply concerning. The agency currently has no permanent director since the Trump administration took office, is facing proposed budget cuts of over $700 million, and has already endured deep staff reductions. This incident adds to a growing list of internal security embarrassments for the nation’s top cyber-defense body. Valadon noted that each category of exposed credential represented a distinct and dangerous attack path — from ransomware and destructive attacks to long-term silent persistence inside CISA’s infrastructure. Whether any malicious actor accessed the secrets before takedown remains unknown, though the repository was never forked — a possible indicator that it wasn’t widely circulated. Only GitHub has the definitive answer, and the platform did not respond to press inquiries at time of publication.
