A CISA administrator's public GitHub repository exposed plaintext passwords, SSH private keys, and tokens due to the deliberate disabling of GitHub's default secret-scanning protections. The repository, named "Private-CISA," was publicly accessible from at least November 2025 until it was taken offline. No CVSS score, specific affected versions, fixed versions, or workarounds are provided in the source article.
Security researcher Brian Krebs brings us the news that America's Cybersecurity & Infrastructure Agency (CISA) has had a large store of plaintext passwords, SSH private keys, tokens, and "other sensitive CISA assets" exposed in a public GitHub repo since at least November 2025. The now-offline public repo—named, somewhat aspirationally, "Private-CISA"—was brought to Krebs' attention by GitGuardian's Guillaume Valadon , who was alerted to the repo's presence by GitGuardian's public code scans. Krebs says that Valadon approached him after receiving no responses from the Private-CISA repo's owner. In an email to Krebs, Valadon claimed that the repo's commit logs show that GitHub's default protections against committing secrets—protections designed to protect unwitting or unskilled developers against exactly this kind of stupidness—had been disabled by the repo's administrator. Read full article Comments