How a Public GitHub Repository Exposed Sensitive CISA Credentials

The exposed files reportedly included documentation and configuration data showing how the agency builds, tests, and deploys internal software and infrastructure.

Because the repository was public, anyone who discovered it could potentially download the contents and inspect the credentials stored within.

What Data Was Leaked

The repository reportedly contained a wide range of sensitive information associated with CISA and DHS systems, including:

• Plaintext usernames and passwords
• AWS GovCloud credentials
• Cloud access tokens and authentication keys
• Kubernetes configuration files
• ArgoCD deployment files
• Entra ID SAML certificates
• Internal logs and operational files

Some of the credentials were reportedly tied to high‑privilege AWS GovCloud accounts and numerous internal CISA systems.

Security experts noted that this type of information—especially cloud credentials and access tokens—can allow direct access to infrastructure or services if the credentials remain active and properly permissioned.

How the Leak Was Discovered

The exposure was discovered by Guillaume Valadon, a security researcher at GitGuardian, a company that scans public code repositories for exposed secrets and credentials.

GitGuardian’s automated scanning tools flagged the repository because it contained credentials and other sensitive information embedded in files. According to reporting, the company attempted to notify the responsible GitHub account or contractor but received no response.

After repeated attempts to reach the repository owner failed, Valadon contacted cybersecurity journalist Brian Krebs on May 15. Krebs then helped escalate the issue to officials and report on the exposure publicly.

Following the escalation, the repository was taken offline.

The Potential Risks

Even though the repository was removed relatively quickly after the disclosure, the exposure created several possible risks.

If any of the credentials were still valid, they could theoretically allow access to:

• Government cloud infrastructure hosted in AWS GovCloud
• Internal CISA development or deployment systems
• Identity and authentication services
• DevOps pipelines or configuration systems

Researchers noted that some of the exposed credentials appeared to still be active at the time of discovery.

However, publicly available reporting has not confirmed whether anyone malicious accessed the credentials before the repository was removed.

What CISA Said About the Incident

CISA acknowledged the exposure and said it was investigating the circumstances surrounding the repository.

According to statements reported by multiple outlets, the agency said it had no evidence that sensitive data was compromised or that a breach occurred.

Officials indicated that they were reviewing the incident and taking steps to prevent similar exposures in the future.

The situation also drew attention from lawmakers, with members of Congress requesting briefings about how the credentials were exposed and whether federal systems were at risk.

Why the Incident Was Particularly Embarrassing

The leak attracted significant attention because CISA itself is the U.S. government’s lead civilian cybersecurity agency. The organization regularly publishes guidance to federal agencies, businesses, and infrastructure operators on topics such as:

• credential management
• secret storage
• secure DevOps practices
• preventing sensitive data exposure in public repositories

As a result, the discovery that credentials tied to the agency had been left in a public GitHub repository highlighted the kinds of operational security failures CISA typically warns others to avoid.

The Bigger Lesson

Incidents like this are not uncommon across the software industry. Public repositories frequently expose secrets accidentally when developers commit credentials or configuration files into version control.

Security tools now routinely scan public code hosting platforms for exposed keys and passwords. In this case, such scanning allowed a researcher to identify the issue and help ensure the repository was removed before any confirmed exploitation occurred.

Even so, the episode underscores how a single misconfigured repository—especially in complex government or enterprise environments—can potentially expose access to critical infrastructure if credential management practices fail.