Members of Congress from both chambers have started asking pressing questions at the U.S. Cybersecurity & Infrastructure Security Agency (CISA) after KrebsOnSecurity revealed this week that a CISA contractor deliberately uploaded AWS GovCloud keys — along with a large collection of other agency secrets — to a publicly accessible GitHub account. The investigation comes as CISA continues working to contain the breach and revoke the exposed credentials.
KrebsOnSecurity reported on May 18 that a CISA contractor with admin-level access to the agency’s code development platform had set up a public GitHub profile named “Private-CISA” containing plaintext credentials for dozens of internal CISA systems. Security experts who examined the exposed secrets confirmed that the repository’s commit history showed the contractor had deliberately turned off GitHub’s built-in safeguards that are designed to prevent publishing sensitive credentials in public repositories.
CISA confirmed the leak but has not answered questions about how long the data remained exposed. However, experts who reviewed the now-removed Private-CISA archive said it was initially created back in November 2025, and that its structure was consistent with an individual using it as a workspace or synchronization tool rather than an organized project repository.
In a written statement, CISA said “there is no indication that any sensitive data was compromised as a result of the incident.” But in a letter dated May 19 (PDF) addressed to CISA’s Acting Director Nick Andersen, Sen. Maggie Hassan (D-NH) argued that the credential leak raises serious questions about how such a significant security lapse could take place at the very agency responsible for helping prevent cyber breaches in the first place.
“This reporting raises serious concerns regarding CISA’s internal policies and procedures at a time of significant cybersecurity threats against U.S. critical infrastructure,” Sen. Hassan wrote.
Sen. Margaret Hassan (D-NH) sent a May 19 letter to CISA’s acting director demanding answers to approximately a dozen questions about the breach.
Sen. Hassan pointed out that the incident took place amid major internal turmoil at CISA, which shed more than a third of its workforce and nearly all of its senior leadership after the Trump administration pushed through a wave of forced early retirements, buyouts, and resignations across the agency’s divisions.
Rep. Bennie Thompson (D-MS), the ranking Democrat on the House Homeland Security Committee, echoed those concerns.
“We are concerned that this incident reflects a diminished security culture and/or an inability for CISA to adequately manage its contract support,” Thompson wrote in a May 19 letter to the acting CISA chief, co-signed by Rep. Delia Ramirez (D-Ill.), the ranking member of the panel’s Subcommittee on Cybersecurity and Infrastructure Protection. “It’s no secret that our adversaries — like China, Russia, and Iran — seek to gain access to and persistence on federal networks. The files contained in the ‘Private-CISA’ repository provided the information, access, and roadmap to do just that.”
KrebsOnSecurity has learned that more than a week after CISA was first alerted to the data leak by the security firm GitGuardian, the agency is still in the process of revoking and replacing many of the exposed keys and secrets.
On May 20, KrebsOnSecurity spoke with Dylan Ayrey, creator of TruffleHog, an open-source tool that scans code hosted on GitHub and other public platforms for private keys and other secrets. Ayrey said CISA had still not invalidated an RSA private key exposed in the Private-CISA repo that provided access to a GitHub app owned by the CISA enterprise account — an app installed on the CISA-IT GitHub organization with full access to all code repositories.
“An attacker with this key can read source code from every repository in the CISA-IT organization, including private repos, register rogue self-hosted runners to hijack CI/CD pipelines and access repository secrets, and modify repository admin settings including branch protection rules, webhooks, and deploy keys,” Ayrey told KrebsOnSecurity. CI/CD refers to Continuous Integration and Continuous Delivery, a set of practices used to automate the building, testing, and deployment of software.
KrebsOnSecurity alerted CISA to Ayrey’s findings on May 20. Ayrey said CISA appeared to have revoked the exposed RSA private key sometime after that notification. However, he noted that CISA still had not rotated leaked credentials associated with other critical security technologies deployed throughout the agency’s technology portfolio (KrebsOnSecurity is temporarily withholding the names of those technologies for security reasons).
When asked about Ayrey’s findings, CISA provided a brief written statement saying, “CISA is actively responding and coordinating with the appropriate parties and vendors to ensure any identified leaked credentials are rotated and rendered invalid and will continue to take appropriate steps to protect the security of our systems.”
Ayrey explained that his company, Truffle Security, monitors GitHub and several other code platforms for exposed keys and tries to notify affected accounts about the sensitive data exposure. They can do this efficiently on GitHub because the platform publishes a live feed containing a record of all commits and changes to public code repositories. But he warned that cybercriminal groups also monitor these public feeds, and are often quick to exploit API or SSH keys that get accidentally or deliberately published in code commits.
The Private-CISA GitHub repository exposed dozens of plaintext credentials tied to important CISA GovCloud resources.
In practical terms, it is highly likely that cybercrime operators or foreign adversaries also noticed the publication of these CISA secrets — the most serious of which appear to have been uploaded in late April 2026, according to Ayrey.
“We monitor that firehose of data for keys, and we have tools to try to figure out whose they are,” he explained. “We have evidence attackers monitor that stream as well. Anyone watching GitHub events could be sitting on this information.”
James Wilson, the enterprise technology editor for the Risky Business security podcast, noted that organizations using GitHub for code management can set top-level policies to prevent employees from disabling GitHub’s built-in protections against publishing secret keys and credentials. But his co-host Adam Boileau cautioned that it’s unclear whether any technical measure could prevent employees from simply creating a personal GitHub account and using it to store sensitive, proprietary information.
“Ultimately, this is a thing you can’t solve with a technical control,” Boileau said on this week’s podcast episode. “This is a human problem where you’ve hired a contractor to do this work and they have decided on their own to use GitHub to synchronize content from a work machine to a home machine. I don’t know what technical controls you could put in place given that this is being done presumably outside of anything CISA managed or even had visibility on.”
Update, 3:05 p.m. ET: Added statement from CISA. Corrected a date in the story (Truffle Security said the repository received some of its most sensitive secrets in late April 2026, not 2025).
