CISA Exposes Secrets, Credentials in 'Private' Repo

CISA Exposes Secrets, Credentials in 'Private' Repo

Newsletter Sign-UpNewsletter Sign-UpCybersecurity TopicsRelated TopicsApplication SecurityCybersecurity CareersCloud SecurityCyber RiskCyberattacks & Data BreachesCybersecurity AnalyticsCybersecurity OperationsData PrivacyEndpoint SecurityICS/OT SecurityIdentity & Access Mgmt SecurityInsider ThreatsIoTMobile SecurityPerimeterPhysical SecurityRemote WorkforceThreat IntelligenceVulnerabilities & ThreatsRecent in Cybersecurity TopicsEndpoint SecurityChina's Webworm Uses Discord, Microsoft Graphs to Hack EU GovernmentsChina's Webworm Uses Discord, Microsoft Graphs to Hack EU GovernmentsbyAlexander CulafiMay 22, 20264 Min ReadApplication SecurityGitHub Confirms Breach, 4K Internal Repos StolenGitHub Confirms Breach, 4K Internal Repos StolenbyAlexander CulafiMay 20, 20263 Min ReadWorld Related TopicsDR GlobalMiddle East & AfricaAsia PacificLatin AmericaSee AllThe EdgeDR TechnologyEventsRelated TopicsUpcoming EventsPodcastsWebinarsSEE ALLResourcesRelated TopicsResource LibraryNewslettersPodcastsReportsVideosWebinarsWhite Papers Partner PerspectivesDark Reading Resource LibraryCybersecurity OperationsCyber RiskApplication SecurityСloud SecurityNewsCISA Exposes Secrets, Credentials in 'Private' RepoThe agency's GitHub repository, publicly available since November 2025, was ironically named "Private-CISA."Rob Wright,Senior News Director,Dark ReadingMay 19, 20263 Min ReadSource: PJ McDonnell via Alamy Stock PhotoIt seems every organization is exposing secrets on the Internet these days — even the US government.GitGuardian researcher Guillaume Valadon today revealed he discovered a public GitHub repository belonging to the Cybersecurity and Infrastructure Security Agency (CISA) that contained 844MB of sensitive data, including plain-text passwords, authentication tokens, and other secrets. Despite being named "Private-CISA," the repo was publicly accessible online since Nov. 13, 2025.In a blog post, Valadon said he first discovered the exposed repo May 14 after GitGuardian's Public Monitoring, which continuously scans public sources like GitHub for leaked secrets, flagged the repository the day before. After taking a peek, he first suspected it was a hoax because the contents of repo "seemed too good to be true."Alas, the repo was real, and so were the secrets contained inside. CISA's blunder marks the latest example of an unfortunate trend — organizations failing to contain the sprawl of secrets and accidentally exposing sensitive datasets on the Internet, where eager threat actors stand ready to sweep them up.Related:Interpol's 'Operation Ramz' Pioneers Cross-Region Collabs in Middle EastAttackers Gain 'Detailed View Into Cloud Infrastructure' Valadon found the repo contained some eye-popping directory names and file names, including "Important AWS Tokens.txt" and "ENTRA ID - SAML Certificates/". In fact, the repo contained not only those tokens and SAML certificates but plain-text passwords, private keys, and other credentials, some of which were still valid.Additionally, the repo housed CI/CD build logs, deployment workflow documentation, Kubernetes manifests, GitHub Actions workflows, GitHub organization automation, and a host of AWS data, such as user accounts, identity and access management (IAM) data, service accounts, and secret-management paths, among other items."The exposed material provided a detailed view into cloud infrastructure, deployment workflows, software supply-chain tooling, and internal operational practices," Valadon wrote.Dark Reading contacted CISA for comment but the agency did not respond at press time.It's unclear if the secrets have been accessed in the six months the repo's been online. Studies have shown that attackers monitor cloud assets like GitHub repos for exposed secrets and can jump on leaks within mere minutes of the data going online.Valadon tells Dark Reading that an "authoritative answer will require GitHub's cooperation," because external views of repos are limited."What we can see from outside is that the repository was never forked, based on public GitHub events. That's a weak but real signal that it didn't circulate widely," he says. "We can't observe clones from the outside, so we can't rule out that an individual downloaded a copy, but that's an inference, not a confirmation."Related:Looking Back, Looking Forward: Digesting a Dynamic Bouillabaisse of Cyber EvolutionCISA's High-Risk Practices Led to ExposureThe good news is that after alerting CISA, the agency took down the repo in just over 24 hours, although Valadon noted that it took some assistance from cybersecurity journalist Brian Krebs, who connected with his contacts at the agency and elevated the issue."Credit to CISA for moving fast — most of our disclosures take far longer, and some are never fixed," Valadon wrote.The bad news is, CISA personnel were engaging in high-risk behavior. "The repository was a catalogue of unsafe practices: plain-text passwords, backups committed to Git, and explicit instructions to disable GitHub's secret scanning," he wrote.Valadon tells Dark Reading that based on an analysis of the repo, the most likely explanation is that because some of the commits contained hardcoded secrets, GitHub's push protection feature was blocking the pushes. "Rather than remove the secrets, someone documented how to disable the control so the commits would go through," he says.Related:AI Drives Cybersecurity Investments, Widening 'Valley of Death'This, Valadon adds, is bad practice that mature organizations shun. Instead, they treat such security features like GitHub's secret scanning or GitGuardian's push protection service as "a non-negotiable control.""The pattern we see is individual developers turning it off under deadline pressure when a push fails. The correct response is to remove the secret from the commit, not the detector," he says.The exposed repo follows massive cuts to CISA's budget and workforce under the second Trump administration. As of last year, the agency lost approximately a third of its employees, while the White House's fiscal 2027 budget proposal would slash CISA's funding by more than $700 million.About the AuthorRob WrightSenior News Director, Dark ReadingRob Wright is a longtime reporter with more than 25 years of experience as a technology journalist. Prior to joining Dark Reading as senior news director, he spent more than a decade at TechTarget's SearchSecurity in various roles, including senior news director, executive editor and editorial director. Before that, he worked for several years at CRN, Tom's Hardware Guide, and VARBusiness Magazine covering a variety of technology beats and trends. Prior to becoming a technology journalist in 2000, he worked as a weekly and daily newspaper reporter in Virginia, where he won three Virginia Press Association awards in 1998 and 1999. At TechTarget and Dark Reading, he has won several Azbee awards, including the 2026 National Silver Award for a series on vibe coding. At Dark Reading, Rob currently covers security operations, cloud security, and Internet infrastructure. He has a keen interest in malvertising activity and the certificate authority industry, and has written extensively on both topics. He graduated from the University of Richmond in 1997 with a degree in journalism and English. A native of Massachusetts, he lives in the Boston area. See more from Rob WrightWant more Dark Reading stories in your Google search results?Add Us NowMore InsightsIndustry ReportsHow Organizations Are Managing Incident ResponseHow Enterprises Are Developing Secure ApplicationsInside RSAC 2026: security leaders reveal the risks redefining your defense strategyHow Enterprises Are Harnessing Emerging Technologies in CybersecurityDitch the Data Center: Understanding Flexible Cloud Infrastructure Security ManagementAccess More ResearchWebinarsBuild vs. Buy: The Hidden Cost of Building Your Own AI Security StackDefending in the Shadow Era: When the CVE Feed Goes DarkBuilding SecOps That Make the Most of Every DollarAI-Powered Cybersecurity for Resource-Constrained OrganizationsAI-Powered Credential Security: Intelligence Without ExposureMore WebinarsEditor's ChoiceThreat IntelligenceFrom Stuxnet to ChatGPT: 20 News Events That Shaped CyberFrom Stuxnet to ChatGPT: 20 News Events That Shaped CyberbyDark Reading Editorial TeamMay 6, 202631 Min ReadCyber RiskPhysical Cargo Theft Gets a Boost From CybercriminalsPhysical Cargo Theft Gets a Boost From CybercriminalsbyRobert LemosMay 4, 20265 Min ReadWant more Dark Reading stories in your Google search results?Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeRSAC 2026: key news & insightsAt RSAC 2026, Dark Reading captured critical intelligence on AI, new attack methods, geopolitics, and much moreGet Your RecapWebinarsBuild vs. Buy: The Hidden Cost of Building Your Own AI Security StackThurs, June 25, 2026, at 1pm ESTDefending in the Shadow Era: When the CVE Feed Goes DarkTues, June 16, 2026 at 1pm ESTBuilding SecOps That Make the Most of Every DollarThurs, July 9, 2026 at 1pm ESTAI-Powered Credential Security: Intelligence Without ExposureWed, June 17, 2026, at 1pm ESTAI-Powered Cybersecurity for Resource-Constrained OrganizationsThurs, June 18, 2026, at 1pm ESTMore WebinarsBlack Hat USA | Mandalay Bay, Las VegasThe premier cybersecurity event of the year returns to Mandalay Bay with a re‑engineered, six‑day program built to ignite innovation, push boundaries, and bring the global security community together like never before. Use code: DARKREADING to save $200 on a Briefings pass or $100 on a Business pass.GET YOUR PASS