CISA Postmortem Highlights Delays and Reporting Gaps After GitHub Credential Exposure
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published a review of a data exposure in which a contractor’s public GitHub repository contained internal credentials and other sen...
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published a review of a data exposure in which a contractor’s public GitHub repository contained internal credentials and other sensitive material for nearly six months.
The repository, identified as “Private CISA,” held approximately 844 megabytes of CISA-related data. According to the incident account, the contents included AWS GovCloud administrative keys and a CSV file containing plaintext usernames and passwords associated with numerous internal systems. Security firm GitGuardian detected the material and sought assistance in alerting CISA on May 15, 2026.
CISA acknowledged the notification, but said it took more than two days to revoke the exposed AWS keys and other secrets. The agency attributed the delay in part to the complexity of its systems and their connections to government and industry partners. CISA said all affected secrets have since been rotated and that the contractor’s access was removed.
Reporting and response lessons
In its postmortem, CISA said its procedures for handling reports about its own infrastructure were not sufficiently clear. Researchers attempted several routes, including contacting the contractor and using the agency’s vulnerability disclosure platform. That platform was designed primarily for vulnerabilities in products and services, rather than incidents directly affecting CISA.
The agency said it is revising its reporting channels and recommended that organizations publish instructions in multiple prominent locations instead of relying solely on a security.txt file. GitGuardian researcher Guillaume Valadon said the company had sent nine automated warnings before the issue was escalated, arguing that unanswered notifications can allow a limited exposure to persist.
CISA also identified weaknesses in its incident-response documentation. Although the agency maintained a general cybersecurity incident playbook, it did not adequately address leaks involving GitHub and other cloud services. The revised action plan includes stronger developer-secret management and continuous monitoring of public code repositories.
Controls that limited the impact
CISA said enhanced logging and zero-trust measures helped investigators determine the scope of the incident. Based on its review, the agency reported no evidence that customer or mission data was exposed or that the credentials were used outside CISA environments. The postmortem presents the episode as a case for rapid secret rotation, continuous scanning, and accessible external reporting processes.
