CISA contractor leaks AWS GovCloud keys on GitHub, sparks Congressional inquiry

A CISA contractor with administrative access to the agency's code development platform created a public GitHub profile called "Private-CISA" that included plaintext credentials to dozens of internal CISA systems. The commit logs show the contractor deliberately disabled GitHub's built-in protections against publishing sensitive credentials in public repositories. The repository, originally created in November 2025, contained AWS GovCloud keys and other secrets used as a synchronization scratchpad. KrebsOnSecurity broke the story on May 18, sparking immediate concern. CISA acknowledged the leak but initially failed to invalidate a critical RSA private key granting full access to the CISA-IT GitHub organization — including all code repositories, CI/CD pipelines, and admin settings. That key was only revoked after KrebsOnSecurity flagged it to the agency on May 20, over a week after initial notification by security firm GitGuardian.

Lawmakers are demanding answers. Sen. Maggie Hassan (D-NH) sent a letter with a dozen questions, noting the breach occurred against the backdrop of major internal disruption: CISA lost more than a third of its workforce and almost all senior leaders after the Trump administration forced early retirements, buyouts, and resignations. Rep. Bennie Thompson (D-MS), ranking member on the House Homeland Security Committee, wrote that the incident "reflects a diminished security culture" and questioned CISA's ability to manage contract support. He warned that adversaries like China, Russia, and Iran seek this very type of access. CISA maintains there is "no indication that any sensitive data was compromised," but security experts disagree, stating the leaked credentials provided a complete roadmap for exploitation. The agency continues to rotate exposed keys.