CISA Scrambles to Rotate Keys After Contractor Leaks Secrets on Public GitHub

A CISA contractor with admin access to the agency’s code platform published AWS GovCloud keys and dozens of internal credentials to a public GitHub profile called ‘Private-CISA,’ deliberately disabling GitHub’s built-in secret-scanning protections. The repository, originally created in November 2025 and apparently used as a personal sync mechanism between work and home machines, exposed material that researchers say handed adversaries a roadmap into federal networks. More than a week after GitGuardian notified CISA, the agency was still working to invalidate exposed credentials.

TruffleHog creator Dylan Ayrey identified an RSA private key in the leak that granted full access to a GitHub app installed on the CISA-IT organization — enough for an attacker to read every private repo, hijack CI/CD pipelines via rogue self-hosted runners, and rewrite branch protections and webhooks. CISA rotated that key only after Krebs forwarded Ayrey’s findings, and credentials tied to other critical security tools across the agency reportedly remain unrotated. Because GitHub’s public event firehose is monitored by criminals and nation-state actors alike, the assumption is that the secrets were harvested well before defenders responded.

Senator Maggie Hassan and Representatives Bennie Thompson and Delia Ramirez have sent letters demanding answers, framing the incident as evidence of a degraded security culture and weak contractor oversight at an agency that has lost over a third of its workforce and most senior leadership under Trump-administration cuts. Analysts on the Risky Business podcast noted that while enterprise GitHub policies can block disabling secret protections, no technical control prevents a contractor from syncing sensitive material through a personal account — making this fundamentally a human and governance failure.