The agency that tells the rest of the country how to handle secrets left its own secrets on public GitHub.
That is the simple version. The full version is worse. According to Krebs on Security’s May 18 report, a contractor working on systems for the Cybersecurity and Infrastructure Security Agency kept a public repository called Private-CISA online with credentials for multiple AWS GovCloud accounts, plaintext passwords for internal systems, logs, and files showing how CISA builds, tests, and deploys software internally. GitGuardian’s disclosure timeline says the public repository was created on November 13, 2025 and held 844 megabytes of data across the working tree and Git history. This was not a one afternoon mistake.
I do not care how many times CISA says there is no indication that sensitive data was compromised. The country just learned that the civilian cyber defense agency had a contractor storing its operational guts in a public repo for months. That happened after the Trump administration had already driven out roughly one third of the workforce and left CISA with around 1,000 vacancies.
The leak was bad on its own terms
Guillaume Valadon of GitGuardian surfaced the exposure after his company flagged the secrets and could not get the account owner to respond. GitGuardian says it reported the leak through CERT/CC on May 14 and reached CISA directly on May 15. Security researcher Philippe Caturegli of Seralys said he verified that the leaked credentials could authenticate to three AWS GovCloud accounts at a high privilege level. He also found plaintext credentials for CISA’s internal Landing Zone DevSecOps environment and artifactory systems.
The detail that should make every federal tech shop flinch is that the contractor had reportedly disabled GitHub’s built in secret protection before publishing the material. That takes this out of the realm of bad luck. Someone defeated a safeguard designed for exactly this problem and kept using the repo anyway.
The cleanup was not fast either. In the May 22 follow up, Krebs reported that more than a week after GitGuardian first alerted CISA, the agency was still working to invalidate exposed credentials. Dylan Ayrey of Truffle Security found that one leaked RSA private key still granted access to a GitHub app owned by CISA’s enterprise account. Truffle’s own writeup says the key had write access across CISA’s GitHub organization and stayed live for two days after Krebs reported the leak. That same Truffle summary says other live secrets included JFrog tokens, database passwords, and TLS private keys.
If you are trying to defend the federal government from intrusion, that is not a minor paperwork issue. That is a map of your house sitting on the sidewalk with the door code taped to it.
This happened at the worst possible time
Sen. Maggie Hassan’s May 19 letter to acting CISA director Nick Andersen put the point cleanly. She called the incident a serious question about how such a lapse could happen at the agency charged with preventing cyber breaches. She also noted that it happened during a period of significant threats against critical infrastructure and after CISA had lost more than a third of its workforce in 2025, including almost all of its senior leaders.
House Homeland Security ranking members Bennie Thompson and Delia Ramirez were even blunter. They wrote that the exposed files gave adversaries the access and roadmap they need, and warned that the incident reflects a diminished security culture and an inability to manage contract support.
That is the real story here. The leak did not happen in a healthy institution. Federal News Network reported that CISA had already lost roughly one third of its workforce and more than 1,000 staff through resignations, buyouts, and layoffs, and that the agency still had roughly 1,000 vacancies as of March. Cybersecurity Dive reported that Andersen told staff they would have to do a lot more work with a lot less people, and that some missions were going to be turned off so CISA could focus on a smaller set of priorities.
Then came the budget knife. The White House’s FY2026 budget appendix cuts CISA operations and support from about $2.383 billion to $1.958 billion. Government Executive reported that the administration’s budget materials project the agency’s workforce falling from 3,292 employees to 2,324, along with a roughly $495 million total funding drop. Those are the conditions the Trump administration created before this leak ever became public.
The rogue contractor defense does not hold up
The strongest defense is easy to state. One contractor behaved recklessly. Big organizations can suffer embarrassing leaks even when leadership is competent. Do not turn one person’s garbage workflow into a grand theory.
Fine. One contractor appears to have used a public repo as a scratchpad and sync mechanism. Krebs reported that the account belonged to an employee of Nightwing, which describes itself as a national security solutions company with more than 2,200 employees and 200 plus active contracts. That part is true.
It still does not rescue CISA.
Healthy institutions are made of controls, staffing, supervision, and fast remediation. A healthy institution catches this before November turns into May. Disabling secret scanning would trigger scrutiny instead of becoming routine. An enterprise GitHub key would get rotated immediately after public reporting. Congress would not need to ask why the basics failed at the agency that lectures everyone else about the basics.
This is what hollowing out looks like in practice. It does not always announce itself with a shutdown banner. Sometimes it looks like attrition, acting leaders, vacancies, mission triage, contractor dependence, and a public statement insisting there is no sign of compromise while the keys are still being rotated.
Cybersecurity is a capacity problem before it is a slogan
Trump and the people around him treat government expertise the way private equity treats a factory. Strip headcount. Push more onto contractors. Mock anyone who says institutional memory matters. Then act shocked when the machinery starts coughing up parts.
CISA’s leak should be read as a warning about state capacity. Cyber defense is people, procedures, and enough institutional depth to catch mistakes before they become public humiliations. You do not get that by driving out senior staff, freezing hiring, slashing budgets, and hoping patriotic branding covers the hole.
The repo was called Private-CISA. It turned out to be public. That is a pretty good metaphor for the whole administration. They keep insisting the country is safer because they are tougher. Meanwhile the actual protective capacity gets stripped for parts, and the rest of us are left to find out how much was missing only after the credentials hit GitHub.