“There is no indication that any sensitive data was compromised as a result of the incident,” CISA said in a written statement — even as lawmakers and outside experts press the agency for details on how dozens of agency credentials came to be published on a public GitHub account.
How the keys were published and what was exposed
KrebsOnSecurity reported that a CISA contractor with administrative access to the agency’s code development platform created a public GitHub profile called “ Private-CISA ” that included plaintext credentials to dozens of internal CISA systems. Experts who reviewed the now-defunct archive said commit logs show the contractor disabled GitHub’s built‑in protection against publishing sensitive credentials in public repos. The repository, according to those reviewers, was originally created in November 2025 and “exhibits a pattern consistent with an individual operator using the repository as a working scratchpad or synchronization mechanism rather than a curated project repository.”
The exposed secrets included AWS GovCloud keys and “a vast trove of other agency secrets,” KrebsOnSecurity reported. The security firm GitGuardian notified CISA of the leak, and Truffle Security later located additional sensitive content that, by its account, was added to the repo in late April 2026.
Technical consequences: RSA key, CI/CD access and rotating credentials
Dylan Ayrey, creator of the open-source tool TruffleHog and a representative of Truffle Security, told KrebsOnSecurity that an RSA private key in the Private‑CISA repository granted access to a GitHub app owned by the CISA enterprise account and installed on the CISA‑IT GitHub organization with full access to all code repositories. Ayrey warned that “an attacker with this key can read source code from every repository in the CISA‑IT organization, including private repos, register rogue self‑hosted runners to hijack CI/CD pipelines and access repository secrets, and modify repository admin settings including branch protection rules, webhooks, and deploy keys.”
KrebsOnSecurity said it notified CISA of Ayrey’s findings on May 20; Ayrey reported that the exposed RSA private key appears to have been invalidated sometime after that notification. He also told the publication that CISA had not yet rotated leaked credentials tied to other critical security technologies deployed across the agency’s portfolio — a set of technologies that KrebsOnSecurity is not naming publicly for the time being.
CISA responded to questions with a brief statement: “CISA is actively responding and coordinating with the appropriate parties and vendors to ensure any identified leaked credentials are rotated and rendered invalid and will continue to take appropriate steps to protect the security of our systems.” The agency has not provided a public timeline for how long the credentials were exposed.
Lawmakers press CISA: May 19 letters, workforce context, and concern
Lawmakers in both chambers have demanded answers. In a May 19 letter to CISA Acting Director Nick Andersen, Sen. Maggie Hassan (D‑NH) asked a dozen questions about the breach and warned that “This reporting raises serious concerns regarding CISA’s internal policies and procedures at a time of significant cybersecurity threats against U.S. critical infrastructure.” Sen. Hassan noted the incident “occurred against the backdrop of major disruptions internally at CISA,” saying the agency “lost more than a third of its workforce and almost all of its senior leaders after the Trump administration forced a series of early retirements, buyouts, and resignations across the agency’s various divisions.”
Rep. Bennie Thompson (D‑MS), the ranking member on the House Homeland Security Committee, echoed the senator’s concerns in a separate May 19 letter to the acting CISA chief that was co‑signed by Rep. Delia Ramirez (D‑Ill). “We are concerned that this incident reflects a diminished security culture and/or an inability for CISA to adequately manage its contract support,” Thompson wrote, adding that “It’s no secret that our adversaries — like China, Russia, and Iran — seek to gain access to and persistence on federal networks. The files contained in the ‘Private‑CISA’ repository provided the information, access, and roadmap to do just that.”
What this means for technologists, policymakers, and adversaries
- Technologists and security teams: The report highlights immediate operational work — invalidating exposed keys, rotating credentials across CI/CD and GovCloud, and auditing repository access. Experts noted that organizations can set top‑down GitHub policies to prevent disabling protections, but those controls may not stop individuals from using personal accounts as a sync mechanism.
- Policymakers and procurement leaders: Lawmakers have demanded detailed answers and documentation; the incident has been placed explicitly in the context of recent workforce and leadership turnover at CISA, which Congress may probe further as it evaluates contract oversight and internal policy.
- Adversaries and threat actors: Truffle Security and other monitoring firms said they and malicious actors alike watch public GitHub commits. Ayrey warned that cybercriminals “monitor that firehose” and are often quick to seize exposed API or SSH keys when they appear in public commits.
The public record now contains competing assertions: outside researchers say dozens of plaintext credentials to important CISA GovCloud resources were exposed and some keys provided broad repository and CI/CD access; CISA says it is actively responding and sees “no indication” of compromised sensitive data. What remains clear is that lawmakers have asked for a detailed accounting, CISA is working to rotate and invalidate credentials, and outside researchers remain engaged — leaving unanswered which credentials have been fully remediated and how long any were available to third parties.
KrebsOnSecurity: Lawmakers Demand Answers as CISA Tries to Contain Data Leak




