Congress Presses CISA Over Contractor-Linked GitHub Credential Leak

Lawmakers in the House and Senate are asking the Cybersecurity and Infrastructure Security Agency (CISA) for explanations after reports that a contractor for the agency posted sensitive credentials to...

Lawmakers in the House and Senate are asking the Cybersecurity and Infrastructure Security Agency (CISA) for explanations after reports that a contractor for the agency posted sensitive credentials to a public GitHub account. The disclosure has raised questions about how a cybersecurity agency charged with defending federal systems could be exposed to such a basic but potentially serious lapse.

According to the reporting that prompted the inquiry, the contractor used a public repository tied to an account called Private-CISA to store plaintext keys and other internal information. Security researchers who reviewed the material said the repository history suggested protections designed to prevent accidental exposure of secrets had been turned off. CISA has acknowledged the incident, but has not said how long the information was visible before it was removed.

In letters sent this week, Sen. Maggie Hassan of New Hampshire and Rep. Bennie Thompson of Mississippi called on CISA leaders to explain what happened and how the agency is responding. Hassan said the event raises concerns about the agency’s internal controls during a period of heavy pressure on U.S. critical infrastructure. Thompson, joined by Rep. Delia Ramirez of Illinois, said the episode may reflect weakened security practices or inadequate oversight of contract personnel.

Questions remain over exposure window and remediation

Researchers said the repository appeared to contain access details for multiple CISA systems, including credentials linked to GovCloud resources. One security expert told reporters that an exposed RSA private key could have allowed access to a GitHub application with broad privileges over code repositories used by the agency. CISA said it is coordinating with vendors and other parties to rotate credentials and invalidate affected access.

  • Lawmakers want a timeline for how long the data was exposed.
  • Researchers say some leaked credentials may still need to be replaced.
  • CISA says it is actively working to secure the affected systems.

The incident comes as CISA has faced staffing disruptions and leadership turnover, adding another layer of scrutiny to the agency’s handling of internal security and contractor oversight. Security researchers also warned that public code platforms are closely watched by both defenders and attackers, meaning exposed secrets can be discovered quickly once posted.