There you have it. The agency in charge of protecting America's critical infrastructure just left…
May 19, 2026 · 0 likes · 0 comments
Cybersecurity
There you have it. The agency in charge of protecting America's critical infrastructure just left its own admin passwords sitting in a public GitHub repo.
A CISA contractor — the Cybersecurity and Infrastructure Security Agency, the people who LECTURE every federal agency and private company on how to secure their systems — posted AWS GovCloud admin credentials, plaintext usernames and passwords, SSH keys, and internal system logs to a public repository.
The repo was literally called "Private-CISA."
You can't make this up.
One file was named "importantAWStokens" — containing admin credentials to three GovCloud servers. Another was a CSV called "AWS-Workspace-Firefox-Passwords" — plaintext passwords for dozens of internal CISA systems. In a spreadsheet. On GitHub. For anyone on earth to find.
It gets worse. The contractor DELIBERATELY disabled GitHub's built-in secret-scanning protection — the feature specifically designed to stop you from accidentally publishing credentials. They turned off the safety net, then drove off the cliff.
Security researcher Guillaume Valadon at GitGuardian discovered the exposure on May 15. He called it "the worst leak I've witnessed in my career." Philippe Caturegli at Seralys independently tested the AWS keys and confirmed — they worked. Full access.
One of the exposed systems was CISA's own Landing Zone DevSecOps environment — their SECURE code development infrastructure. Protected by passwords in a public CSV.
And here's what should terrify you: it wasn't CISA that caught it. It was a PRIVATE security firm. GitGuardian had to contact a journalist because the contractor wasn't even responding to alerts.
This is the agency that publishes guidance telling everyone ELSE how to handle credentials. The agency that runs vulnerability assessments on other people's systems. The agency that exists for ONE reason — to stop exactly this.
I have been warning about this for years. Government cybersecurity is a joke. The people writing the rules can't follow their own playbook. Kindergarten-level security from the agency lecturing the rest of us.
Full story on UnbiasedHeadlines.com — I built it because stories like this deserve the full breakdown, not the sanitized headline: https://lnkd.in/eJKMQQ7J
A DISGRACE.
You've been warned.
A CISA contractor — the Cybersecurity and Infrastructure Security Agency, the people who LECTURE every federal agency and private company on how to secure their systems — posted AWS GovCloud admin credentials, plaintext usernames and passwords, SSH keys, and internal system logs to a public repository.
The repo was literally called "Private-CISA."
You can't make this up.
One file was named "importantAWStokens" — containing admin credentials to three GovCloud servers. Another was a CSV called "AWS-Workspace-Firefox-Passwords" — plaintext passwords for dozens of internal CISA systems. In a spreadsheet. On GitHub. For anyone on earth to find.
It gets worse. The contractor DELIBERATELY disabled GitHub's built-in secret-scanning protection — the feature specifically designed to stop you from accidentally publishing credentials. They turned off the safety net, then drove off the cliff.
Security researcher Guillaume Valadon at GitGuardian discovered the exposure on May 15. He called it "the worst leak I've witnessed in my career." Philippe Caturegli at Seralys independently tested the AWS keys and confirmed — they worked. Full access.
One of the exposed systems was CISA's own Landing Zone DevSecOps environment — their SECURE code development infrastructure. Protected by passwords in a public CSV.
And here's what should terrify you: it wasn't CISA that caught it. It was a PRIVATE security firm. GitGuardian had to contact a journalist because the contractor wasn't even responding to alerts.
This is the agency that publishes guidance telling everyone ELSE how to handle credentials. The agency that runs vulnerability assessments on other people's systems. The agency that exists for ONE reason — to stop exactly this.
I have been warning about this for years. Government cybersecurity is a joke. The people writing the rules can't follow their own playbook. Kindergarten-level security from the agency lecturing the rest of us.
Full story on UnbiasedHeadlines.com — I built it because stories like this deserve the full breakdown, not the sanitized headline: https://lnkd.in/eJKMQQ7J
A DISGRACE.
You've been warned.