CISA said it opened an internal investigation on May 15 after an investigative journalist asked about agency credentials appearing online. The journalist had been alerted by a security researcher whose company scans public code repositories for exposed passwords, tokens and other secrets.
The repository, named “Private-CISA”, was not part of the agency’s official GitHub environment. It belonged to a contractor who had copied material from a CISA build and deployment repository into a personal account while attempting to create cloud infrastructure independently.
The exposed files included administrative and build credentials, AWS GovCloud access keys, plaintext passwords, tokens, logs, infrastructure code and documentation describing internal software development processes. Researchers said valid credentials could access three highly privileged GovCloud accounts and other internal systems.
CISA removed the repository, preserved a copy for forensic examination and disconnected the affected development environment. It also revoked the contractor’s access and reset credentials linked to the exposure. The agency said all credentials across environments administered by the individual were rotated, rather than limiting the action to secrets known to have appeared publicly.
Its review found no evidence that the credentials had been used outside CISA-controlled environments. The agency also said no customer information or mission data had been exposed. However, independent researchers reported that some credentials remained active for about two days after the repository was taken offline, raising questions about the speed and complexity of the containment operation.
The repository had existed since November 2025, though the precise dates on which individual secrets were uploaded varied. It contained hundreds of megabytes of information, including Kubernetes configuration files, Terraform infrastructure code, software build records and material associated with continuous integration and deployment systems.
The episode highlighted the risks created when long-lived credentials are stored in code repositories. Even private repositories can be copied, wrongly configured or made public. Credentials combined with infrastructure diagrams and deployment instructions can give attackers a clearer route into cloud environments and software supply chains.
CISA identified tighter control over public repositories as a central lesson. The agency said developers should be able to retrieve open-source code without having unrestricted ability to upload proprietary material or sensitive files. It has reviewed its zero-trust controls and expanded endpoint monitoring designed to identify and manage uploads.
The agency also called for continuous secret scanning across public and private repositories. Passwords, cryptographic keys and access tokens should be kept in managed secret-storage systems rather than embedded in source code, scripts, configuration files or browser exports.
A third weakness involved incident planning. CISA acknowledged that it lacked a dedicated GitHub and cloud response playbook when the alert arrived. Investigators therefore had to create parts of the response process while the incident was unfolding. Organisations were advised to prepare and test playbooks covering exposed repositories, compromised cloud accounts, developer platforms and software-signing systems.
CISA also said security researchers need clearer ways to report incidents involving an organisation’s own infrastructure. The researcher who found the material tried several channels, including direct messages to the repository owner and a vulnerability disclosure process intended mainly for product flaws. The matter reached CISA effectively only after a journalist became involved.
Publishing clear reporting instructions through security. txt files and prominent website pages can reduce delays, particularly when a discovery involves leaked credentials rather than a conventional software vulnerability.
Development environments require security controls comparable to those protecting production networks, CISA said. Organisations should consolidate unmanaged tooling, restrict administrative permissions and apply zero-trust principles to systems used for building and deploying software.
Follow Arabian Post
Select Arabian Post as your preferred source on Google and MSN News for trusted business news and Arab politics and updates.