CISA's Own Credentials Were Sitting on GitHub for Six Months

Hey everyone, I'm Drex and this is the Two Minute Drill. It's great to see you today. Here's some stuff you might wanna know about. Guillaume Valadon works for a company called GitGuardian. His job, or at least his company's job, is to run software that scans public code repositories all day, every day, looking for secrets that shouldn't be there. Things like API keys and, uh, passwords and access tokens. The kinds of things that if they're left exposed, gives an attacker a key to your house. It's quiet, methodical work. Most of what the scanner finds is pretty mundane. A developer forgot to scrub a test credential, or a password ended up in a commit, and it shouldn't be there. It was done by accident. The alerts go out, the owners fix it, life goes on. But on May 15th of this year, the scanner flagged something that was not mundane. There was a public GitHub repository named PrivateCISA. It had been sitting there since November 13th, 2025, about six months. It was public. It was visible to anyone on the internet, anyone with a browser. The account belonged to a contractor working for Nightwing, a government firm based in Dulles, Virginia. Nightwing does work for CISA, the Cybersecurity and Infrastructure Security Agency, which it still drives me a little crazy that they say security twice in the department name. That's another problem for another time. CISA, as you know, is the federal agency whose job it is to protect America's critical infrastructure from exactly this kind of thing. Valadon looked inside the repository, and what he found was 844 megabytes of files. There was a CSV file. It was titled aws-workspace-firefox-passwords.csv. Inside of it was plain text passwords to dozens of CISA internal systems. Not hashed, not encrypted, just plain text. The passwords followed a pattern, platform name plus current year, like GitHub 2025 and Artifactory 2025. The kind of passwords a security auditor flags on day one. There were also administrative credentials for three AWS GovCloud servers, SSH keys, access tokens, internal documentation describing exactly how CISA builds, tests, and deploys its own software, a blueprint for anyone who wanted to understand the agency's inner workings. When Validon's team tried to contact the repository owner and got no response, he called a journalist at Krebs on Security, and of course, the repository came down shortly after that. But the AWS keys, those stayed valid for another 48 hours before anyone revoked them. A security researcher who reviewed the repository called it, "The worst leak I've ever witnessed." Here's why I tell this story and why I hope you'll share this story. CISA is one of the agencies that hospitals and health systems turn to for federal guidance on cybersecurity. They issue emergency directives when a critical vulnerability is being actively exploited. They, they're the ones that tell CISOs what to patch and what to watch and what to worry about. They are, in the clearest sense, a source of trust. And for six months, their own digital keys were sitting on the open internet. What were adversaries doing with that access during those six months? Well, nobody knows, or at least they're not saying publicly. But the question isn't really theoretical. And here's what I want you to think about. The contractor who built this repository didn't accidentally leave the door open. According to researchers, they actively disabled the default GitHub settings, the ones that prevent these kinds of secrets from being published. Someone made a deliberate choice to turn off that protection, and then they walked away. Now, how many contractors do you have with access to sensitive internal systems right now? And do you know what they're doing with that access? And if one of them made a mistake or a deliberate choice six months ago, would you even know today? I wonder. That's it for today's Two Minute Drill. Drop me a note and let me know what you're working on. I'm always happy to hear from you. I'm drex@229project.com. Thanks for being here. Stay a little paranoid, and I'll see you around campus.