Congress Demands Accountability as CISA Struggles to Revoke Leaked Credentials
Lawmakers are questioning CISA's internal security culture after a contractor published AWS GovCloud keys and agency secrets to a public GitHub account.
Primary source: Krebs on Security. Full source links and update notes are below.
Fast summary
Start here
- Bipartisan lawmakers sent letters to CISA leadership demanding an explanation for a months-long credential leak.
- A CISA contractor reportedly disabled GitHub security protections to host sensitive credentials on a public profile named 'Private-CISA'.
- Security experts report that critical RSA private keys remained active a week after CISA was notified of the exposure.
What happened
Members of Congress in both houses are demanding answers from the U.S. Cybersecurity & Infrastructure Security Agency (CISA) following reports that a contractor published administrative secrets to a public GitHub account. The repository, active since November 2025, contained AWS GovCloud keys and plaintext credentials for dozens of internal systems. Experts who analyzed the leak found evidence that the contractor intentionally disabled GitHub's built-in tools designed to prevent the publication of sensitive secrets.
What's new in this update
On May 19, Sen. Maggie Hassan (D-NH) and Rep. Bennie Thompson (D-MS) sent formal inquiries to CISA's Acting Director Nick Andersen. The letters demand a detailed account of how the leak occurred and why containment remains incomplete. Despite CISA's public statement that no sensitive data was compromised, security researchers have confirmed that several critical keys, including an RSA private key with full access to CISA's GitHub repositories and CI/CD pipelines, remained active more than a week after the agency was first notified.
Key details
The 'Private-CISA' repository appeared to function as a working scratchpad for a contractor with administrative access. By disabling security protections, the operator allowed plaintext credentials for federal systems to be indexed publicly. According to Dylan Ayrey, creator of the TruffleHog security tool, the exposed RSA key allows an attacker to read private source code, modify repository admin settings, and potentially hijack software deployment pipelines.
Background and context
This security lapse occurs during a period of significant internal instability for CISA. The agency has lost more than one-third of its workforce and nearly all its senior leadership following a wave of forced retirements, buyouts, and resignations initiated by the Trump administration. Lawmakers expressed concern that these disruptions have eroded the agency's security culture and its ability to manage contract support effectively.
What to watch next
CISA has been given a deadline to answer a dozen specific questions from Sen. Hassan regarding the duration of the exposure and the agency's internal auditing procedures. Observers are also monitoring whether the agency can successfully invalidate all remaining active secrets before foreign adversaries exploit the roadmap provided by the leaked repository.
Why it matters
As the primary agency tasked with defending U.S. critical infrastructure from cyber threats, CISA's failure to secure its own administrative credentials raises significant national security concerns.
Read next
Follow this story through the topic hub, more security coverage, and the latest updates.
Weekly briefing
Get the week's key developments in one concise email.
Get a fast catch-up on the biggest stories, the context behind them, and the links worth your time.
Cadence
Weekly, for a quick catch-up
Coverage
AI, business, world, security, sports
Format
Clear takeaways and useful context
Request the briefing
Leave your email to open a prepared request and get on the list for the weekly briefing.
Author
See who assembled this story and follow more of their work.
Sources and methodology