CISA exposed passwords and cloud keys in a public GitHub repository

CISA is investigating a credential exposure that left passwords, access tokens, and cloud keys tied to agency systems publicly accessible in a GitHub repository. The issue, first detailed by independent security reporter Brian Krebs and later reported by TechCrunch, appears to have originated in a repository maintained by an employee working for a CISA contractor.

According to the reporting, GitGuardian researcher Guillaume Valadon found spreadsheets containing plaintext credentials that could be used to access systems linked to CISA and the Department of Homeland Security. Valadon said he verified that at least some of the credentials were valid before escalating the issue. That detail matters: this was not just sloppy archival data or stale test material sitting in a forgotten repo. It was live access material exposed on the open web.

The immediate question is whether anyone besides the researcher found and used the credentials before they were reported. As of publication, CISA had not publicly said whether there is evidence of follow-on intrusion tied to the exposure. Even so, the incident is serious on its own. CISA is the federal agency tasked with improving cyber defense across civilian government networks, and it routinely advises other organizations to avoid exactly this kind of practice.

The bigger problem is governance, not just one bad repository. Modern government systems rely heavily on contractors, shared cloud environments, and sprawling access chains that make secret management harder to police. When credentials are handled in spreadsheets rather than a proper secrets-management workflow, the failure is rarely isolated to one person. It usually points to weak review controls, poor operational discipline, or both.

This also lands at an awkward moment for the agency. CISA has been operating without a permanent director since early 2025, and recent staffing cuts have raised concerns about how much oversight capacity remains inside the organization. That does not prove the exposure was caused by understaffing, but it does sharpen the political and operational stakes. An agency responsible for setting the tone on federal cybersecurity cannot afford public mistakes that look this avoidable.

For security teams outside government, the lesson is familiar but still routinely ignored: secrets should never live in plaintext documents that can drift into source-control systems, shared drives, or unmanaged exports. Rotation, least-privilege access, repository scanning, and contractor-specific controls are all basic defenses, but they only work when they are enforced consistently.

IRCNF reached its assessment from TechCrunch's reporting on the incident and Krebs' original account. Until CISA discloses whether the exposed keys were abused, the story is best understood as a serious exposure with potentially larger implications rather than a confirmed destructive breach.