A public GitHub repository named "Private-CISA" exposed a trove of sensitive credentials—including plaintext passwords, SSH private keys, and API tokens—belonging to the US Cybersecurity and Infrastructure Agency (CISA) for at least six months. The exposure, first detected in November 2025, highlights critical lapses in basic security protocols and underscores the risks of improperly managed code repositories.
The incident came to light after security researcher Brian Krebs reported the findings, which were initially flagged by GitGuardian’s automated scans. Guillaume Valadon, a researcher at GitGuardian, identified the repository and attempted to notify the owner multiple times without response. In a subsequent email to Krebs, Valadon revealed that GitHub’s built-in protections against secret leaks—a mechanism designed to prevent developers from accidentally exposing credentials—had been intentionally disabled by the repository’s administrator, compounding the vulnerability.
The mechanics behind the credential leak
CISA’s exposed assets were stored in a repository that, despite its name, was publicly accessible. The repository contained a mix of configuration files, scripts, and documentation, all of which included sensitive materials. Valadon’s analysis of the repository’s commit history showed that the default GitHub settings for secret scanning had been turned off, removing a critical safeguard against accidental exposure.
- Plaintext passwords for internal systems
- SSH private keys for remote access
- API tokens for cloud services and third-party integrations
- Configuration files with hardcoded credentials
These credentials were not hidden or obfuscated in any way, making them trivial to extract for anyone with access to the repository. The lack of basic encryption or masking practices further exacerbated the risk, as the data remained exposed until the repository was finally taken offline.
Consequences of the exposure
The exposure of CISA’s credentials raises immediate concerns about the potential for unauthorized access to government systems. While there is no evidence that the credentials were exploited, the mere presence of such sensitive data in a public repository represents a significant security failure. The incident also underscores the broader risks associated with improper credential management, particularly in organizations responsible for national cybersecurity.
The failure to enable GitHub’s default secret scanning protections is particularly alarming. These protections are designed to automatically detect and block credentials from being committed to public repositories, yet they were disabled in this case. This oversight suggests a lack of awareness or disregard for basic security best practices among the repository’s maintainers.
Lessons for government and enterprise security teams
This incident serves as a stark reminder of the importance of robust credential management and repository security. Organizations—especially those handling sensitive data—must prioritize the following measures to prevent similar exposures:
- Enable GitHub’s secret scanning and push protection features by default.
- Implement automated tools to detect and revoke exposed credentials promptly.
- Enforce strict access controls and review repository permissions regularly.
- Conduct periodic security audits to identify and remediate vulnerabilities.
- Provide comprehensive security training for developers and administrators.
The CISA credential leak is a cautionary tale for both government agencies and private enterprises. As digital transformation accelerates, the stakes for securing sensitive data continue to rise. A single oversight can lead to catastrophic consequences, making it imperative for organizations to adopt a proactive and security-first approach to code and credential management.
AI summary
CISA’s sensitive credentials leaked on GitHub for six months due to disabled protections and poor practices, highlighting critical flaws in government IT security.
Tags