The US Cybersecurity and Infrastructure Security Agency left a GitHub repository called “Private-CISA” publicly accessible for six months, exposing plain-text passwords, private keys, tokens and other secrets, according to a GitGuardian disclosure on the incident.
KEY FACTS
- Exposure The repository contained 844 MB of production infrastructure material.
- Contents Files included AWS credentials, GitHub personal access tokens, Kubernetes manifests and Entra ID SAML certificates.
- Report GitGuardian said it found the public repo on May 14 and reported it the same day.
- Response The repository was taken down on May 15.
The files had obvious names such as external-secret-repo-creds.yaml and AWS-Workspace-Firefox-Passwords.csv, along with directories that suggested backups and infrastructure data. The disclosure said the material also included JFrog Artifactory tokens, Azure registry keys, Terraform code and ArgoCD application files.
Valadon initially thought the repository might be a hoax because of the naming pattern and the range of secrets inside, but said the contents were real. He described the collection as a catalogue of unsafe practices, including passwords stored in plain text and backups committed to Git.
CISA said it was aware of the report and was investigating. The agency said there was no indication that sensitive data was compromised as a result of the incident. GitGuardian said it was not aware of any exposed credentials being abused by unauthorized individuals.
The repository was created with a personal GitHub account and commits that mixed a contractor email with a personal Yahoo address. GitGuardian said that kind of mixed-identity setup can make leaks harder to monitor and can create a wider attack surface.
WHY IT MATTERS
The incident is significant because the exposed files could have allowed access to internal systems, build pipelines and cloud resources. Even without confirmed misuse, the case shows how a single public repository can reveal credentials that may be used for destructive attacks or long-term access.