Introduction to the Incident
A recent discovery by security researcher Brian Krebs has revealed that America's Cybersecurity & Infrastructure Agency (CISA) had a large store of plaintext passwords, SSH private keys, tokens, and other sensitive assets exposed in a public GitHub repository. The repository, named 'Private-CISA', was made public since at least November 2025, and its contents were accessible to anyone. This incident raises concerns about the security practices of government agencies and their contractors.
Implications for Security
The exposure of sensitive CISA assets in a public GitHub repository is a significant security lapse. The repository's commit logs show that GitHub's default protections against committing secrets had been disabled by the repository's administrator. This means that the repository's owner intentionally allowed sensitive information to be committed to the public repository. Testing by Seralys founder Philippe Caturegli confirmed that the credentials in the repository could be used to gain access to multiple Amazon Web Services GovCloud accounts at a high privilege level.
Source
Original reporting by Ars Technica.