Static Secrets Are Dead: What the CISA GitHub Leak Tells You About Your Own Stack

For six months, the federal agency responsible for telling every other organization in America how to secure credentials had its own AWS GovCloud admin keys sitting in a public GitHub repository. This is not a story about a careless contractor. It is a story about an architecture that almost every enterprise still depends on.

What Actually Happened

On May 18, 2026, Brian Krebs reported that a contractor for the Cybersecurity & Infrastructure Security Agency had maintained a public GitHub repository named “Private-CISA” containing administrative credentials to three AWS GovCloud accounts, plaintext passwords for dozens of internal CISA systems, Kubernetes config files, and build artifacts from the agency’s Landing Zone DevSecOps environment.

The repository was created November 13, 2025. GitGuardian discovered it May 14, 2026. Guillaume Valadon, the researcher who found it, called it the worst leak of his career. The contractor had explicitly disabled GitHub’s default secret-scanning protection. One file was titled “importantAWStokens.” Another “AWS-Workspace-Firefox-Passwords.csv” contained credentials saved directly from a browser session. Passwords throughout the repo followed a pattern of platform name plus the current year.

“Backdoor in some software packages, and every time they build something new they deploy your backdoor left and right.”

Philippe Caturegli, Seralys on what access to CISA’s artifactory meant

The most uncomfortable detail is the timing. GitGuardian alerted the repository owner first. The owner did not respond. Krebs and Seralys then notified CISA directly. The GitHub account came down shortly after. The AWS keys themselves stayed live for another 48 hours.

Why This Isn’t a Contractor Problem

The natural reading is that one person made one bad commit. That reading is wrong and it is the reading that lets every other organization off the hook. Three structural conditions made this leak possible, and none of them are specific to CISA or its contractor.

• Long-lived static credentials existed in plaintext to begin with. A file called “importantAWStokens” could only contain working admin credentials in an architecture that treats secrets as durable strings to be copied, stored, and synchronized.
• The credentials worked for the same identity across environments. There was no environment-specific scoping, no broker, no short-lived issuance. The same key that worked in daily operations worked from anywhere.
• The blast radius was unbounded. Admin-level access to three GovCloud accounts means full control of every resource in those accounts. No tiered privilege model existed to limit what exposure of those keys actually meant.

The Vendor Blogs Got This Wrong

Every major security vendor published on the CISA leak within 72 hours. Most framed it as a secrets-scanning problem and recommended their scanning product. That framing is architecturally backwards.

Scanning catches secrets that already exist. The deeper question is why an admin credential needs to exist as a durable string at all. In a properly designed access architecture, the “importantAWStokens” file could not have contained admin credentials because admin credentials would not exist as copyable values. Authentication would happen through short-lived tokens issued by an identity broker, scoped to specific resources, expiring in minutes.

The standard playbook rotate keys, add scanning, train developers, treats the symptom. The architecture treats the cause.

Propelex Security Team

This is not theoretical. It is how AWS IAM Roles Anywhere, GitHub’s OIDC trust with AWS, HashiCorp Vault, and every modern cloud secrets manager are designed to work. The technology has been production-ready for years. What has been missing is the architectural decision to deprecate static secrets entirely, not to scan for them more aggressively, but to make them structurally impossible.

What the IBM and GitGuardian Data Show

The CISA leak isn’t isolated. It sits inside a measurable shift in how attackers gain initial access.

IBM X-Force’s 2026 Threat Intelligence Index found that exploitation of public-facing applications was the most common initial access vector in 2025, up 44% year-over-year. Large supply chain and third-party compromises have nearly quadrupled since 2020. Vulnerability exploitation now accounts for 40% of all incidents X-Force responds to, the single most common way attackers get in.

CISA itself is operating under structural pressure that makes this worse. The agency has lost nearly a third of its workforce since the start of the second Trump administration early retirements, buyouts, resignations across divisions. Fewer people, the same number of contractors, the same volume of code, and the same architectural assumptions that made plaintext admin tokens possible in the first place.

What to Do This Quarter

The right response to the CISA leak is not a panicked rotation drill. It is a deliberate move toward an architecture in which a “Private-CISA” repository could not contain anything dangerous, even if a contractor pushed every file on their workstation.

• Inventory every long-lived credential in your environment. Start with AWS access keys, Azure service principals, GCP service account keys, and database passwords stored in code or configuration. Most organizations underestimate this number by an order of magnitude.
• Set an aggressive deprecation timeline for static cloud admin credentials. Within 90 days, every admin-level cloud credential should be issued through a broker — Vault, AWS IAM Roles Anywhere, GCP Workload Identity Federation, or Azure Managed Identity, scoped to specific workloads, and time-limited.
• Move CI/CD authentication to OIDC trust. GitHub Actions, GitLab CI, and most build platforms support direct OIDC federation with the major clouds. The token is minted at workflow runtime, scoped to that workflow, and expires within minutes. No stored secrets required.
• Enforce GitHub secret-scanning organization-wide and disable opt-outs. The CISA contractor explicitly disabled this control. Make it a hard policy: no repository, public or private, can disable push protection without security approval.
• Audit third-party contractor access architecturally, not just contractually. Ask: what credentials does this contractor’s identity have access to, and are those credentials long-lived? If yes, that is the risk regardless of what any attestation document says.
• Treat developer workstations as part of the security perimeter. Secrets are leaking from developer environments at roughly twice the rate of automated systems. Endpoint visibility on developer machines is no longer optional.
• Run a “Private-CISA” tabletop. Walk through what would happen if a similar repository were discovered tomorrow. How long to revoke affected credentials? How would you confirm whether they had been used? Most organizations cannot answer either question in hours, let alone minutes.

The Bigger Picture

The CISA leak is uncomfortable because it punctures a comforting assumption: that the agency telling everyone else how to do security has its own house in order. It does not. And the reason is not that CISA is uniquely careless. The reason is that the architecture every cloud-adopting enterprise still relies on static, long-lived, copy-pastable credentials was built for a world that no longer exists.

The attackers operating against modern enterprises are not fishing for credentials at the login page. They are reading public GitHub commits, scanning leaked archives, and chaining stolen tokens through build pipelines into production. Every long-lived admin secret sitting in a file somewhere is a future incident waiting for a clock to start.

Static secrets are dead. The architectures still relying on them just haven’t admitted it yet.

Propelex Security Intelligence

The organizations that move now before the next leak, before the next IBM index, before the next State of Secrets Sprawl report will be the ones that don’t end up as the case study.