CISA’s leaked keys test more than GitHub hygiene

The CISA leak is not just a public repository mistake. The real test is whether every exposed credential was revoked, checked, and contained.

2026-06-01 GIGATAP Team #security
#security advisory#CISA#credential leak

CISA’s exposed secrets are now a security operations problem, not just an embarrassing GitHub mistake.

KrebsOnSecurity reported that a CISA contractor intentionally published AWS GovCloud keys and other agency secrets on a public GitHub account. Lawmakers in both houses of Congress are now asking how that happened, how long the data was exposed, and whether CISA can prove the leaked credentials no longer work.

That last question matters most. A security advisory about exposed secrets is not closed when the repository disappears. It is closed when the affected credentials are identified, revoked, replaced, and checked for possible use.

What changed#

On May 18, KrebsOnSecurity reported that a CISA contractor with administrative access to the agency’s code development platform created a public GitHub profile containing plaintext credentials for dozens of internal CISA systems.

Experts who reviewed the exposed repository said its commit logs showed the contractor disabled GitHub’s built-in protection against publishing sensitive credentials in public repositories. KrebsOnSecurity also reported that the now-defunct archive, called Private-CISA, appeared to have been created in November 2025.

CISA acknowledged the incident and said there was “no indication that any sensitive data was compromised as a result of the incident.” That statement leaves a key operational gap. It does not answer how long the credentials were public, who accessed them, or whether every affected secret had been rotated at the time lawmakers began asking questions.

Sen. Margaret Hassan asked CISA’s acting director for answers about the breach. House Homeland Security Democrats also raised concern that the incident may point to a weakened security culture or poor management of contractor support.

The political angle is secondary to the operational one. CISA is the agency that tells others how to manage cyber risk. A public leak of agency credentials tests whether those same controls work inside its own environment.

Why this security advisory matters#

Secrets exposed on GitHub are not theoretical risk. Public code feeds are monitored by defenders and attackers. Tools such as TruffleHog search public repositories for private keys and other credentials, but criminal groups and state-linked operators can watch the same stream.

KrebsOnSecurity cited Truffle Security’s Dylan Ayrey, who said one exposed RSA private key granted access to a GitHub app owned by CISA’s enterprise account and installed on the CISA-IT GitHub organization. According to Ayrey, an attacker with that key could read private source code, register rogue self-hosted runners, target CI/CD pipelines, reach repository secrets, and modify administrative settings such as branch protection rules, webhooks, and deploy keys.

CISA appears to have invalidated that RSA key after KrebsOnSecurity notified the agency on May 20. But Ayrey said other leaked credentials tied to critical security technologies still had not been rotated at that point. KrebsOnSecurity did not name those technologies publicly.

That is the hard part of exploitability in this case. The issue is not a single CVE with a clean patched-version boundary. It is a credential exposure event across systems, vendors, and workflows. The blast radius depends on what each secret could access, whether any access was logged, and whether replacement credentials were deployed cleanly without leaving old trust paths alive.

What to check#

The practical checks are familiar, but the order matters.

First, identify every exposed secret from the repository history, not only the files visible at takedown time. Public Git history can preserve secrets even after a file is edited.

Second, revoke before replacing. A new credential does not reduce risk if the old one still works.

Third, inspect use logs for each credential. The useful question is not only whether attackers could use the key, but whether anyone did.

Fourth, review CI/CD trust paths. Leaked GitHub app keys, runner permissions, deploy keys, webhooks, and branch protection settings can turn a code exposure into a build-chain problem.

Fifth, treat contractor access as part of the security boundary. Administrative access to code platforms is not a convenience role. It is production-adjacent power, especially when repositories hold infrastructure code, deployment automation, or environment secrets.

For open source security teams, the lesson is not “never use GitHub.” It is that public code platforms need secret scanning, enforced push protection, least-privilege app permissions, and a tested rotation process. Those controls are only useful if operators cannot quietly bypass them without review.

Related GigaTap reading: OpenSSF’s April signal: make security artifacts operational; 100% package test coverage is the point, not the slogan; Open Source Security Needs More Than Code.

What not to overclaim#

The public record does not prove that foreign adversaries used the exposed credentials. CISA says it has no indication that sensitive data was compromised. That statement should be reported, but not stretched into proof that the incident was harmless.

The inverse is also true. A public repository containing working agency secrets is enough to justify serious concern even without confirmed exploitation. In security operations, absence of evidence is only useful when logging, telemetry, and retention are strong enough to make the absence meaningful.

The most credible reading is narrow: CISA suffered a serious exposed-secrets incident involving contractor-controlled public GitHub activity; some credentials appear to have remained valid after notification; lawmakers are asking whether agency controls, staffing disruption, and contractor oversight contributed to the failure.

The next useful evidence would be concrete. How many credentials were exposed? Which systems did they touch? When was each one revoked? Were any used from unfamiliar infrastructure? Did any CI/CD or repository settings change during the exposure window? Were GitHub protections disabled with approval, by exception, or without oversight?

Until those answers exist, this is not a closed incident. It is an active test of whether CISA can turn a public credential leak into a complete containment record.