The Cybersecurity Watchdog Left Its Keys on the Porch
What the CISA GitHub Leak Means for Everyone
Imagine leaving your house keys on the front porch with a sign that says "Private Do Not Touch" and then walking away for six months. That's essentially what happened to the agency charged with protecting America's critical infrastructure, except the porch was GitHub, the keys unlocked AWS GovCloud, and the sign was the repository name: "Private-CISA."
The Problem: A Contractor Put CISA's Secrets on a Public Shelf
In November 2025, an employee of Nightwing, a Virginia-based government contractor working for the Cybersecurity and Infrastructure Security Agency (CISA), created a GitHub repository named "Private-CISA." The name suggests something confidential. The settings said otherwise. The repo was public, and it stayed that way for roughly six months.
On May 14, 2026, Guillaume Valadon, a researcher at GitGuardian, discovered the repository and found 844 megabytes of sensitive material sitting in plain view. That material included AWS GovCloud administrative keys, plaintext usernames and passwords, authentication tokens, SSH keys, and detailed documentation of CISA's software build and deployment processes, including CI/CD build logs, Kubernetes manifests, Terraform infrastructure code, and GitHub Actions workflows.
Yes, plaintext passwords. In 2026. At the agency that literally publishes cybersecurity guidelines for the rest of the federal government.
Perhaps the most damning detail: the repository contained explicit instructions to disable GitHub's built-in secret scanning feature. Someone knew the scanning would flag these credentials and chose to turn it off rather than fix the problem.
GitGuardian reported the leak on May 14. CISA took the repository offline within about 26 hours, but some AWS credentials reportedly remained active for up to 48 hours after the agency was notified. Lawmakers have since demanded a briefing from CISA's acting Director, and the incident has triggered congressional scrutiny.
How It Affects You
You might be thinking, "That's a U.S. government problem. Why should I care?"
Here's why: CISA is the agency that sets the standard for how government systems are protected across the United States. When the watchdog can't police its own contractors, trust in the entire system erodes. And the specific failure mode here, a contractor exposing credentials on a public code repository, is not unique to CISA. It's not even unique to government. It's one of the most common ways sensitive data leaks, and it happens in private companies, universities, and nonprofits every day.
The "no evidence of compromise" problem. CISA has stated there is "no indication that any sensitive data was compromised." This is a familiar refrain after every breach, and it's often meaningless. A public GitHub repository can be cloned by anyone, silently, without a trace. The repo was live for six months. Any number of automated tools, criminal groups, or nation-state actors could have copied everything in that time. "No evidence" just means nobody has found the evidence yet, and with exposed credentials, the attacker doesn't always leave footprints.
The supply chain risk is everyone's risk. You interact with government systems more than you think. If you file taxes online, apply for permits, use government portals, or rely on critical infrastructure (which is everyone), you're counting on those systems being secure. A credential leak at a government agency's contractor is a direct line to the systems you depend on.
What You Can Do
Whether you run a company, manage a team, or just write code on weekends, the lessons from this incident apply directly to you.
1. Enable secret scanning everywhere. GitHub, GitLab, and Bitbucket all offer automated secret detection. Turn it on. Do not allow anyone on your team to disable it. If secrets are detected, treat it as an emergency, not an inconvenience. This single step would have prevented the CISA leak entirely.
2. Never store credentials in code. Not in repositories, not in comments, not in configuration files that get committed. Use a secrets manager (AWS Secrets Manager, Azure Key Vault, HashiCorp Vault, or even 1Password for smaller teams). Credentials belong in vaults, not in version control.
3. Audit your contractor and vendor access. If you work with third parties who have access to your systems, treat their security as an extension of your own. Require them to follow your security policies. Ask for evidence that they have secret scanning enabled. Verify, don't assume. CISA clearly assumed Nightwing was handling credentials properly. They weren't.
4. Rotate credentials immediately when access changes. The CISA leak showed that some credentials remained active for 48 hours after the repo was taken down. If a credential is exposed, revoke and rotate it immediately. Every minute counts.
5. Use short-lived credentials. AWS and other cloud providers support temporary security credentials that expire automatically. If a key leaks, the window of exploitation shrinks from "months" to "minutes or hours." This is one of the most impactful changes any organization can make.
6. Set up push protection. Beyond scanning existing repos, enable push protection to block secrets from being committed in the first place. GitHub offers this natively. It's the equivalent of keeping your keys from ever reaching the porch.
The Bigger Picture: Canada Has the Same Problem
If you're reading this from Canada, you might feel a bit of smug distance from the CISA debacle. Don't.
Canadian federal agencies rely on contractors just as heavily. Shared Services Canada (SSC), which provides IT infrastructure to most federal departments, works with a wide network of third-party vendors. The Canadian Centre for Cyber Security (CCCS) issues guidance similar to CISA's. The same structural vulnerability exists here.
We've already seen it play out. In late 2023, two federal contractors, Brookfield Global Relocation Services (BGRS) and SIRVA, were breached by the LockBit ransomware gang, exposing sensitive personal and financial data of current and former government employees, including RCMP and Canadian Armed Forces members, going back to 1999. In early 2024, a compromised VPN managed by Shared Services Canada led to unauthorized access to Global Affairs Canada systems for over a month.
The pattern is clear: contractors are the weakest link in government security on both sides of the border. Canada's privacy framework under PIPEDA and provincial legislation provides important protections for personal data, but it doesn't prevent the kind of negligent credential exposure that happened at CISA. Law and practice are two different things.
What Canadian organizations should take from this:
Demand the same standards from your vendors that you apply internally. Under PIPEDA, organizations are responsible for personal information in the hands of third-party service providers (PIPEDA Principle 4.1.3). If your contractor leaks data, you're on the hook.
Include secret scanning and credential management requirements in your vendor contracts. Make them contractual obligations, not suggestions.
Push for federal procurement reform. If CISA's contractor oversight failed this badly, Canadian procurement processes deserve the same scrutiny that U.S. lawmakers are now demanding.
The CISA GitHub leak isn't a sophisticated cyberattack story. It's a negligence story. A contractor turned off the alarms, left the vault open, and nobody checked for six months. The fix isn't exotic. It's basic hygiene: scan for secrets, store credentials properly, audit your contractors, rotate keys fast, and use short-lived credentials.
If the agency responsible for cybersecurity advice can't follow its own advice, the rest of us need to take this as a wake-up call, not a spectator sport.
Sources:
Krebs on Security: CISA Admin Leaked AWS GovCloud Keys on GitHub
GitGuardian Blog: How We Got a CISA GitHub Leak Taken Down in 26 Hours
Security Affairs: Data Breaches Impact Canadian Government (BGRS/SIRVA)
GhostNode helps you catch the problems nobody warned you about.