CISA, the GitHub leak: when the watchdog leaves the keys in the door
CISA, the US cyber agency, exposed its own AWS GovCloud credentials on public GitHub for 6 months. Anatomy of a leak in 7 failures.

Picture it. You are the US federal agency in charge of protecting government systems against cyberattacks. Your mission is to tell everyone else how to secure themselves. You publish guides, alerts, recommendations on the top ten flaws to avoid, on secrets management, on the zero trust posture. And one fine day, security researchers discover that one of your own contractors has posted, in public access, on GitHub, a repository named Private-CISA. Eight hundred and forty-four megabytes of data, including Amazon AWS GovCloud administrative credentials, cleartext passwords in a CSV file, Entra ID SAML certificates, SSH keys, and access to your internal software package repository. All of it exposed since November 2025. Six months.
That is the story Brian Krebs tells on his blog on 18 May 2026, based on a discovery by the French company GitGuardian. And it is probably the most emblematic leak of the year, not for its volume, but for what it says about the real state of public cybersecurity in 2026.
What was in the archive
The repository was called Private-CISA. The contractor who created it worked for Nightwing, a company based in Dulles, Virginia. The repo was hosted on GitHub.com in public visibility, accessible without authentication, indexed by search engines. Inside, GitGuardian's researchers found exactly what you hope never to see.
Three sets of administrative credentials for AWS GovCloud, Amazon's cloud environment reserved for sensitive US government workloads. These credentials granted high-privilege access to accounts holding the services hosted by CISA. A CSV file named AWS-Workspace-Firefox-Passwords containing, in cleartext, the Firefox credentials of dozens of internal systems. Access to the agency's Artifactory repository, that is, the library of every software package used to build its internal tools. Kubernetes manifests, ArgoCD files, CI/CD logs, and SAML certificates for Entra ID, meaning the organization's federated identity.
To really grasp what this represents, you have to understand that access to an Artifactory is not a simple credential leak. It is an ideal entry point for a supply chain attack. An attacker who gains this level of access can inject malicious code into the packages used internally, wait for the next builds to automatically pull in that code, and watch their backdoor spread through every system that consumes those packages. That is exactly the category of threat CISA is supposed to prevent and fight.

The deliberate disabling of protections
For several years GitHub has offered an automatic scanning feature that detects secrets placed in public repositories and blocks their publication. It is enabled by default on all accounts. When you try to push a file containing an AWS key, a JWT token, or a private certificate, GitHub stops you and asks you to confirm.
The commit logs of the Private-CISA repository show that the contractor manually disabled this protection before pushing the data. This is not an oversight. It is a deliberate action, documented, traceable. Someone, at a specific moment, clicked to bypass a security measure that is imposed by default on every user of the platform.
And that detail changes the nature of the incident. We are not talking about a developer who made a mistake by forgetting a file in their repository. We are talking about someone who deliberately disarmed a protection mechanism in order to publish their own personal backups. Several commenters on Krebs's forum see in it a misuse of GitHub as a synchronization system between a work machine and a personal one, in an environment where USB ports and third-party clouds would probably be blocked by Nightwing's security policy.
If that is the case, and it is plausible, we are touching on something that goes far beyond the CISA incident. We are touching on the structural shadow IT of the state's subcontractors, on the practice of daily circumvention of security rules because they are experienced as obstacles to getting work done. That is exactly the subject I covered two weeks ago about the Europol Pressure Cooker scandal. The pattern repeats, on every continent, in every agency.
The 48 hours that speak volumes
On 14 May 2026, GitGuardian detects the repository. Its automated systems send nine alerts to the account owner. No response, apart from the automatic acknowledgments. On the morning of 15 May, the team contacts the CERT/CC incident center directly, and in parallel Brian Krebs so that he can activate his personal contacts at CISA. The agency is reached in the early European afternoon. The repository is taken down at six in the evening, Eastern time, which corresponds to about twenty-six hours between the first alert to CISA and the takedown.
On this point, the agency reacted fast, and credit is due. Most responsible disclosures take much longer.
But here is the detail that should give us pause. The exposed AWS credentials remained valid for forty-eight hours after the repository was removed. That is two full days during which an attacker who had copied the secrets during the six months of exposure could keep using them to access the GovCloud accounts. Key rotation, which should be an automatic and immediate action in any incident of this kind, was triggered only belatedly.
Why this matters. Because in a forensic investigation, an attacker's actions during the window when the credentials are still valid look identical to the legitimate actions of administrators. The logs do not tell an authorized use from a fraudulent one until the key has been flagged as compromised. So auditing those forty-eight hours to rule out exploitation is extraordinarily difficult, and for now CISA has not published any full forensic assessment.
The statement no one can prove
Under media pressure, CISA issued an official statement that deserves to be read carefully. I quote. At this time, there is no indication that any sensitive data was compromised as a result of this incident.
This sentence is technically correct, but it is also technically empty. How can you claim that there was no compromise over one hundred and eighty-three days of public exposure, with administrative access to three GovCloud accounts, and with credentials that stayed valid forty-eight hours after the discovery? You cannot. Not unless you produce a full forensic audit of all access over that period, which CISA has not published, and which CISA would probably have a great deal of trouble producing given its current headcount.
Because it bears repeating, the agency today runs at about seventy percent of its pre-2025 headcount. Budget cuts, resignations, early retirements, departures under the Trump administration. The capacity to conduct a forensic investigation into an incident of this magnitude, with reduced staff, becomes a structural challenge.
Seven layers of protection, seven failures
What makes this incident instructive is that it reveals a stack of failures that should each, on their own, have prevented the leak or dramatically limited it.
GitHub blocks the publication of secrets by default. The contractor disabled that protection. First defense down.
AWS GovCloud supports temporary credentials via IAM with STS tokens that expire within a few hours. The exposed credentials were static, long-term credentials. Second defense absent.
AWS Secrets Manager allows automatic key rotation at regular intervals. Rotation was not enabled. Third defense absent.
GovCloud administrative accounts can be protected with hardware security keys, such as YubiKeys. Apparently, that was not the case. Fourth defense absent.
CISA should have an internal system for monitoring credential leaks that would detect its own keys appearing in public repositories. It was GitGuardian, a private French company, that made the discovery, not the agency itself. Fifth defense absent.
The internal password policy should forbid trivial conventions of the platform_name + year type. Several of the exposed credentials followed exactly that pattern. Sixth defense absent.
And the contractor should have been required to use enterprise tools for their backups, not their personal GitHub account. Seventh defense absent.
When seven independent layers of control fail at the same spot, you are no longer dealing with an incident. You are dealing with a system.
What this teaches us, about ourselves
And here you might say to me, yes, but that is in the United States, that is CISA, it is complicated, it is a special case. Except it is not. And that is precisely the point of this article.
The organizations with the most mature frameworks, the strongest certifications, the most comfortable budgets, can get burned the same way as the humblest small business. Because security, in operational reality, does not depend on the number of pages in the ISO 27001 manual. It depends on what humans do when they are alone in front of their screen, at six in the evening, with a file to transfer onto their personal machine so they can finish up in peace at home.
You can have every annual audit in the world, every compliance certificate, every policy in triplicate signed by your CISO, your DPO, and your executive management. If the operational culture does not follow, if automatic controls can be disabled with one click, if credential rotation is not automatic, if your contractors use GitHub as a personal cloud without your knowing, you are in CISA's situation.
That is what real cybersecurity is. Not the documentation. Not the frameworks. Not the announcements. Daily operational culture, meaning what happens when no one is watching.
And now
As I write these lines, on 19 May 2026, Senator Maggie Hassan has just requested an urgent classified briefing from CISA's acting director. The White House, the Department of Homeland Security, and the US administration will have to answer precise questions about their internal practices. And the incident will probably feed the budget debate now opening on the agency's funding for 2027.
Meanwhile, in France, we keep discussing the transposition of NIS2 eighteen months behind schedule. We keep debating backdoors in encrypted messaging apps. And we keep publishing Matignon roadmaps that ask ministries to put in place in 2026, by 2027, the basic controls you would expect from an average French small business.
At what point do we stop reacting to each incident as if it were an exception, and start treating them as the systemic symptoms they are?
Main source: Brian Krebs, KrebsOnSecurity, 18 May 2026. Additional investigation by GitGuardian (Guillaume Valadon) and Seralys (Philippe Caturegli). Official confirmation by CISA and Axios reporting on the Senate's request for a classified briefing.
Questions fréquentes
What did the GitHub repository exposed by the CISA contractor contain?
The Private-CISA repository, public since November 2025, contained 844 MB of data: three sets of AWS GovCloud administrative credentials, a CSV file of cleartext passwords, access to the agency's Artifactory, Kubernetes manifests, ArgoCD files, CI/CD logs and SAML certificates for Entra ID.
Is this a simple mistake or a deliberate act?
The commit logs show that the contractor manually disabled GitHub's secret-scanning protection before pushing the data. So this is a deliberate, documented action, most likely to use GitHub as a personal synchronization system, not an oversight.
Why is the 48-hour window a problem?
The AWS credentials stayed valid for 48 hours after the repository was removed. As long as a key is not flagged as compromised, the logs cannot tell legitimate use from fraudulent use, which makes a forensic audit of that period extraordinarily difficult.
Is CISA's statement about the absence of compromise credible?
The article judges it technically correct but empty: claiming that no data was compromised over 183 days of public exposure would require a full forensic audit that CISA has not published and would struggle to produce, the agency running at about 70 % of its pre-2025 headcount.
What is the main lesson for organizations?
Real security does not depend on the number of pages in the ISO 27001 manual but on daily operational culture. Even a very mature organization can fail if automatic controls can be switched off with one click, if credential rotation is not automatic and if contractors' shadow IT stays invisible.
Sources & méthodologie
- Brian Krebs, KrebsOnSecurity, 18 mai 2026
- GitGuardian (Guillaume Valadon)
- Seralys (Philippe Caturegli)
- CISA (déclaration officielle)
- Axios (reportage sur la demande de briefing classifié du Sénat)

Être en cybersécurité
Une feuille de route cyber en clair, pour tout le monde, pas seulement les experts.
