Skip to content

Congress Demands Answers: CISA Employee Published AWS Keys on GitHub

In Brief: A CISA contractor published internal login credentials that began circulating in November 2025 on GitHub; more than a week later, critical keys remained unrevoked while Congress demands a security review.

A contractor for the US Cybersecurity & Infrastructure Security Agency (CISA) made AWS GovCloud keys and internal secrets publicly available on GitHub. Congressional lawmakers are now demanding answers while CISA attempts to revoke the credentials.

On May 18, KrebsOnSecurity reported that a CISA contractor with administrative access to the agency’s code development platform created a public GitHub profile named “Private-CISA.” This profile contained plaintext credentials for dozens of internal CISA systems. Analysts who reviewed the exposed secrets found that the commit logs of the code repository showed: the CISA contractor disabled GitHub’s built-in protections against publishing sensitive credentials in public repositories.

CISA confirmed the incident but did not answer questions about the duration of exposure. Experts who analyzed the now-deleted Private-CISA archive date the original creation to November 2025. The pattern suggests that a single operator used the repository as a working block or synchronization mechanism, not as a curated project repository. CISA stated publicly that there were “no indications that sensitive data was compromised as a result of the incident.”

Senator Maggie Hassan (D-NH) wrote in a letter dated May 19 to acting CISA Director Nick Andersen that the credential leaks raise serious questions: How could such a security failure occur at the agency responsible for protecting critical US infrastructure? Hassan emphasized that the incident came against the backdrop of significant organizational turmoil at CISA — the agency lost more than one-third of its workforce and nearly all of its leadership following forced early retirements, severance packages, and resignations under the Trump Administration.

Rep. Bennie Thompson (D-MS), Ranking Member of the House Homeland Security Committee, also expressed concerns: the incident indicates a weakened security culture and insufficient contractor management. Dylan Ayrey, creator of the open-source tool TruffleHop for detecting private keys, reported on May 20 that CISA had still not revoked an exposed RSA private key. This key grants access to a GitHub app in the CISA Enterprise account with full access to all code repositories of the CISA IT organization. An attacker could use this to read source code from any repository, including private ones.


Source: krebsonsecurity.com · Published May 22, 2026
Lumi AI News — AI-assisted curation pursuant to Article 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.2.0.

Share on: