Lead story
The Cobbler's Children: CISA Left Its Own Credentials in a Public GitHub Repo for Six Months
America's cybersecurity watchdog — the agency that publishes advisories telling everyone else to rotate credentials, segment networks, and assume breach — spent six months with SSH keys, plaintext passwords, AWS workspace credentials, and authentication tokens sitting in a public GitHub repository. The repo was called, with exquisite irony, "Private-CISA."
A researcher who stumbled across it described it as one of the worst credential exposures they'd ever seen. The filenames weren't even subtle: external-secret-repo-creds.yaml and AWS-Workspace-Firefox-Passwords.csv were reportedly among the files sitting there since November 2025. By the time it was flagged and taken down, it had been publicly accessible for roughly six months.
Why this stings more than the average credential leak
CISA is the agency that runs "Secure by Design" campaigns, publishes joint advisories with the Five Eyes partners (including the ASD here in Australia), and lectures critical infrastructure operators about third-party risk. The reputational damage isn't just embarrassing — it hands adversaries a rhetorical crowbar to prise open any future CISA guidance with "why should we listen to you?"
The practical risk depends on what exactly was in those credentials and whether they've been rotated since, which CISA hasn't confirmed publicly. But six months is a long time. Automated credential-harvesting bots scan GitHub continuously — it's a known attack vector with its own tooling. If any of those keys were live for that window, the question isn't whether someone found them; it's whether anyone used them.
Congress is now involved
Capitol Hill has demanded answers, with legislators asking CISA to explain how the exposure happened, when it was discovered, what access the credentials permitted, and whether any systems were subsequently compromised. That inquiry has real teeth given CISA's already-fraught political environment: the agency has faced staffing cuts and leadership uncertainty over the past year.
What it signals about secrets management at scale
The irony is that this is a solved problem. Tools like HashiCorp Vault, AWS Secrets Manager, and GitHub's own secret scanning (which CISA presumably knows about) exist precisely to catch this. The failure here isn't exotic — it's the same mistake that causes breaches at companies CISA warns every week. Someone committed secrets to a repository, the repo was either accidentally made public or was always misconfigured as public, and no automated scanning caught it.
For Australian organisations, the ASD's Essential Eight and the Protective Security Policy Framework both mandate credential management controls that would, in theory, prevent exactly this. The lesson isn't schadenfreude — it's that even the teams who write the playbooks can get caught skipping steps.
What to watch
CISA's response to the Congressional inquiry will tell us a lot. If the agency can demonstrate the credentials were rotated promptly and there's no evidence of downstream compromise, the story ends as an embarrassing misconfiguration. If those keys touched production systems that weren't immediately locked down, it becomes something considerably worse. Either way, expect this to fuel renewed pressure on CISA to demonstrate it can manage its own house before managing everyone else's.