The U.S. Cybersecurity and Infrastructure Security Agency (CISA) — the very federal agency responsible for protecting the nation's critical infrastructure from cyber threats — has suffered a humiliating and dangerous breach of its own. Passwords and digital keys for multiple internal systems were found stored as plain text in a public GitHub repository, according to researchers who discovered the leak. One cybersecurity expert described it as “the worst leak that I’ve witnessed” in terms of its sheer negligence and potential impact.

The exposed repository, which belonged to CISA's development team, contained credentials for databases, cloud administration panels, and even remote access tools. Because the repository was public, anyone with internet access could have cloned the code and extracted the passwords. While CISA quickly took the repository private after being alerted by independent security researcher Mike Pearl, the damage could already be done: automated bots and malicious actors constantly scan GitHub for exposed secrets, meaning the credentials may have been harvested within seconds of being uploaded.

What Was Exposed?

According to Pearl, the repository contained “hardcoded plain-text passwords and API keys for a variety of internal CISA services.” These included keys for Amazon Web Services (AWS) infrastructure, admin panels for a vulnerability management platform, and credentials for a database containing aggregated threat intelligence. The passwords were not even obfuscated or encrypted — they were simply written out in config files alongside the code. This violates not only CISA's own security policies but also standard industry practices like using environment variables or secret management tools (e.g., HashiCorp Vault, AWS Secrets Manager).

The leak is especially alarming because CISA's mission includes protecting federal civilian networks, coordinating incident response, and sharing cyber threat indicators with private sector partners. If an adversary had accessed those credentials, they could have potentially tampered with critical shared systems, disrupted threat intelligence sharing, or planted backdoors that could be used in future attacks.

Blaming Human Error, Again

CISA officials declined to comment on the record, but internal sources familiar with the incident told a familiar story: a developer mistakenly set the repository's visibility to “public” instead of “private,” and the code review process failed to catch the embedded secrets. This is a classic example of the human factor in cybersecurity — even when organizations have mandatory training and automated scanning tools (like git-secrets or pre-commit hooks), mistakes slip through. In CISA's case, the oversight appears to have been compounded by a lack of adherence to its own data handling policies.

The incident echoes similar embarrassments at other federal agencies: in 2019, the Department of Defense accidentally exposed classified AWS keys on a public GitHub repo; in 2021, the NSA had a similar lapse that exposed tools for advanced malware analysis. These repeated failures suggest that the federal government's approach to secure software development — centered on checklists and mandatory training — is not sufficient. Security experts argue that technical controls, such as blocking uploads of secrets to public repositories altogether, must be enforced at the infrastructure level rather than relying on developer discretion.

Implications for Critical Infrastructure

The timing of the leak is particularly painful for CISA. The agency has been at the forefront of efforts to harden U.S. critical infrastructure against state-sponsored cyberattacks, especially from Russia, China, and Iran. In the wake of recent attacks on water utilities, pipelines, and hospitals, CISA has urged private sector operators to adopt zero-trust architectures and multifactor authentication. Now, the agency itself appears to have failed the basic test of protecting its own credentials.

“If an agency that tells everyone else to lock down their systems can't even keep its own passwords out of a public GitHub repo, how can we trust their advice?” said one former senior DHS official who spoke on condition of anonymity. “It undermines their credibility and gives foreign adversaries a propaganda gift.”

Moreover, the leaked credentials might not have been limited to CISA's internal systems. Because CISA collaborates with other government agencies and private companies, some exposed keys could have provided access to shared platforms used in joint cybersecurity operations. The full scope of what could have been compromised will likely require weeks of forensic audit, but the incident already threatens to delay or disrupt critical threat-sharing initiatives.

How the Discovery Was Made

Mike Pearl, a security researcher who often hunts for exposed credentials on GitHub, came across the repository while scanning for common patterns. “I was shocked to see it belonged to CISA.gov,” he wrote in a public post. “Those keys were so clearly sensitive that I couldn't believe they weren't caught by any automated scanning.” Pearl immediately filed a responsible disclosure through CISA's bug bounty program, which is operated by the Department of Homeland Security. The agency acknowledged the report and made the repo private within hours.

But the damage is done. Repositories that were once public are cached, archived, and forked by countless users. Even after the repo goes private, any clones or downloads made before the fix persist indefinitely. CISA will have to rotate all affected credentials, notify partners, and investigate whether any unauthorized access occurred — a process that could cost millions of taxpayer dollars and consume weeks of staff time.

Is There a Deeper Problem?

This incident is not an isolated screw-up. A 2023 Government Accountability Office report found that CISA had not fully implemented several key cybersecurity requirements for its own systems, including encryption-at-rest standards and penetration testing of internal applications. Lawmakers have repeatedly criticized the agency for being too focused on external guidance while neglecting its own security hygiene. The GitHub leak may become the catalyst for congressional hearings and forced reforms.

Senator Ron Wyden (D-OR), a longstanding privacy hawk, called the leak “unacceptable” and demanded an immediate independent investigation. “CISA is supposed to be the model for federal cybersecurity, not a case study in how not to do it,” he said in a statement. “If we can't trust CISA with its own secrets, the American people have a right to be deeply worried about the security of our entire digital government.”

In the meantime, the incident serves as a stark reminder that even the most security-conscious organizations are vulnerable to simple mistakes. And in the world of cybersecurity, a single plain-text password in a public GitHub repo can undo years of trust and investment.

Source: Gizmodo News