Security researcher Brian Krebs has uncovered a major gaffe by America’s Cybersecurity & Infrastructure Agency (CISA): a public GitHub repository named “Private-CISA” hosted plaintext passwords, SSH private keys and other sensitive information from CISA since at least November 2025.

The repo was first brought to light by GitGuardian's Guillaume Valadon, who detected it through the company’s automated code scans. Despite attempts to contact the repository owner, the issue remained unaddressed until Krebs took up the case. Analysis revealed that GitHub’s default security features had been intentionally disabled, allowing for unauthorized access.

Testing by Seralys founder Philippe Caturegli confirmed the severity of the situation. He managed to use the credentials within the repo to gain high-level access to multiple Amazon Web Services GovCloud accounts. The revelation highlights a serious lapse in digital asset management and security practices at CISA, which has yet to provide a public response.

This isn’t an isolated incident either; earlier this year, acting CISA Director Madhu Gottumukkala uploaded sensitive government documents to ChatGPT despite policy prohibitions. His role was swiftly revoked after the fiasco, but the current situation suggests that such oversights remain all too common.