The Agency That Secures America Left Its Own Keys on the Doorstep

The Cybersecurity & Infrastructure Security Agency — CISA — exists for one reason: to protect U.S. government systems from exactly this kind of breach.

They failed. At themselves.

Until this past weekend, a CISA contractor ran a public GitHub repository called "Private-CISA" — yes, that's what it was named — that contained administrative credentials to three Amazon AWS GovCloud servers, plaintext usernames and passwords for dozens of internal CISA systems, cloud tokens, SSH keys, and detailed internal logs showing how the agency builds, tests, and deploys its own software.

How Bad Was It? The Researchers Say "Career Worst"

Guillaume Valadon, a researcher at the security firm GitGuardian, discovered the exposure on May 15 and contacted KrebsOnSecurity because the contractor wasn't responding to GitGuardian's automated alerts.

Valadon didn't mince words: "This is indeed the worst leak that I've witnessed in my career."

His firm scans public code repositories continuously for exposed secrets. This one stopped them cold.

The exposed files included one literally named "importantAWStokens" — containing admin credentials to three GovCloud servers. Another, "AWS-Workspace-Firefox-Passwords.csv", listed plaintext usernames and passwords for dozens of internal systems in a spreadsheet.

A spreadsheet. Plaintext. On a public repo.

The Contractor Actively Made It Worse

This wasn't just carelessness. It was compounded carelessness.

According to Valadon, the commit logs show the CISA contractor deliberately disabled GitHub's default secret-scanning protection — the built-in feature that blocks users from accidentally publishing SSH keys or credentials.

They turned off the safety net. Then they drove off the bridge.

Valadon described it bluntly: "Passwords stored in plain text in a csv, backups in git, explicit commands to disable GitHub secrets detection feature." He said he initially thought the whole repository was fake — a honeypot, maybe — because no real government cybersecurity professional could be this sloppy.

It was real.

What Was Exposed, Specifically

Philippe Caturegli, founder of security consultancy Seralys, independently tested the exposed AWS keys to verify they were valid and determine what access they granted. He confirmed they worked.

One of the systems exposed was "LZ-DSO" — short for Landing Zone DevSecOps — CISA's own secure code development environment. The agency's secure development infrastructure. Protected by credentials sitting in a public GitHub repo.

Caturegli noted the account showed a consistent pattern: someone using a professional repository like a personal scratchpad, mixing a CISA-associated email address with a personal one. Sloppy habits baked into standard practice.

What Mainstream Coverage Is Missing

Most coverage treats this as a straightforward "oops, credential leak" story and misses what matters.

This isn't about one contractor having a bad day. Valadon observed: "It is obviously an individual's mistake, but I believe that it might reveal internal practices."

If a single CISA contractor could disable secret-scanning protections, store admin credentials in plaintext CSVs, back up sensitive internal systems to a public repo, and do it long enough that an outside security firm had to call a journalist to get anyone's attention — then CISA has a systemic oversight problem, not an isolated personnel problem.

Where were the automated internal audits? Where was the access review process? Why did it take GitGuardian — a private company — to catch this, when CISA's entire mission is catching exactly this?

CISA's Own Guidance

CISA publishes guidance telling every federal agency, every private company, and every local government how to avoid credential leaks. They put out advisories. They run drills. They lecture the country about basic security hygiene.

Their own contractor stored passwords in a CSV file named after what they were.

If a private company's IT contractor did this, CISA might issue a public advisory about it. There would be regulatory scrutiny. There might be fines.

Instead, the agency that got exposed IS the agency that would normally investigate.

What This Means

AWS GovCloud isn't where the government stores birthday party invitations. It's the cloud infrastructure used for sensitive, often classified or restricted federal operations.

Administrative credentials to three GovCloud servers — plus access to CISA's internal DevSecOps environment — sitting public on GitHub means foreign intelligence services, criminal hackers, and anyone else with a search engine had a window into how America's cyber-defense infrastructure is built and run.

CISA has NOT publicly confirmed whether a full forensic review is underway to determine if anyone malicious accessed those credentials before they were pulled.

The agency responsible for America's cyber defenses got caught with its systems exposed by a private researcher who had to go to the press to get action.