Overview
- Security researchers discovered a public GitHub repository maintained by a CISA contractor that contained plaintext passwords, cloud keys, tokens, logs and deployment files tied to internal CISA and DHS systems.
- The archive included highly privileged AWS GovCloud keys and an RSA private key linked to a GitHub app that could let an attacker read private code, hijack CI/CD runners, and change repository protections.
- CISA has acknowledged the exposure and said there is no indication of compromise, and agency teams have invalidated some keys while other leaked credentials remain unrotated as remediation continues.
- Members of Congress have sent formal letters and demanded briefings, faulting contractor oversight and citing recent staff cuts and leadership turnover as drivers of weakened internal controls.
- Security experts warn that adversaries routinely monitor public GitHub activity, that exposed CI/CD and repo credentials create systemic supply‑chain risk, and that the incident will likely spur tighter contractor and code‑security rules.