{"id":149,"date":"2026-05-20T15:33:27","date_gmt":"2026-05-20T15:33:27","guid":{"rendered":"https:\/\/onionmail.org\/blog\/?p=149"},"modified":"2026-05-20T15:33:27","modified_gmt":"2026-05-20T15:33:27","slug":"the-cisa-github-leak-what-six-months-of-exposed-credentials-tell-us-about-systemic-security-failures","status":"publish","type":"post","link":"https:\/\/onionmail.org\/blog\/the-cisa-github-leak-what-six-months-of-exposed-credentials-tell-us-about-systemic-security-failures\/","title":{"rendered":"The CISA GitHub Leak: What Six Months of Exposed Credentials Tell Us About Systemic Security Failures"},"content":{"rendered":"<p class=\"font-claude-response-body break-words whitespace-normal leading-[1.7]\">On May 15, 2026, security researcher Guillaume Valadon of <a class=\"underline underline underline-offset-2 decoration-1 decoration-current\/40 hover:decoration-current focus:decoration-current\" href=\"https:\/\/www.gitguardian.com\">GitGuardian<\/a> flagged a public GitHub repository called &#8220;Private-CISA&#8221; that had been sitting exposed since November 13, 2025. Inside were administrative credentials to three AWS GovCloud accounts, plaintext passwords for dozens of internal CISA systems, SAML certificates, API tokens, and 844 MB of operational data. Investigative journalist Brian Krebs broke the story publicly on <a class=\"underline underline underline-offset-2 decoration-1 decoration-current\/40 hover:decoration-current focus:decoration-current\" href=\"https:\/\/krebsonsecurity.com\/2026\/05\/cisa-admin-leaked-aws-govcloud-keys-on-github\/\">KrebsOnSecurity<\/a> on May 19.<\/p>\n<p class=\"font-claude-response-body break-words whitespace-normal leading-[1.7]\">The repository was maintained by a contractor working for <a class=\"underline underline underline-offset-2 decoration-1 decoration-current\/40 hover:decoration-current focus:decoration-current\" href=\"https:\/\/nightwing.com\">Nightwing<\/a>, a U.S. government services firm. The contractor had apparently been using the public repo as a personal file-sync tool between work and home machines for six months.<\/p>\n<p class=\"font-claude-response-body break-words whitespace-normal leading-[1.7]\">Valadon described it as &#8220;the worst leak that I&#8217;ve witnessed in my career.&#8221; Looking at the details, that&#8217;s not hyperbole.<\/p>\n<h2 class=\"text-text-100 mt-3 -mb-1 text-[1.125rem] font-bold\">What Was in the Repository<\/h2>\n<p class=\"font-claude-response-body break-words whitespace-normal leading-[1.7]\">The repository contained exactly the kind of material that should never touch a public surface:<\/p>\n<ul class=\"[li_&amp;]:mb-0 [li_&amp;]:mt-1 [li_&amp;]:gap-1 [&amp;:not(:last-child)_ul]:pb-1 [&amp;:not(:last-child)_ol]:pb-1 list-disc flex flex-col gap-1 pl-8 mb-3\">\n<li class=\"font-claude-response-body whitespace-normal break-words pl-2\">An <code class=\"bg-text-200\/5 border border-0.5 border-border-300 text-danger-000 whitespace-pre-wrap rounded-[0.4rem] px-1 py-px text-[0.9rem]\">importantAWStokens<\/code> file with administrative credentials for three AWS GovCloud environments.<\/li>\n<li class=\"font-claude-response-body whitespace-normal break-words pl-2\">An <code class=\"bg-text-200\/5 border border-0.5 border-border-300 text-danger-000 whitespace-pre-wrap rounded-[0.4rem] px-1 py-px text-[0.9rem]\">AWS-Workspace-Firefox-Passwords.csv<\/code> containing plaintext credentials for internal CISA systems, including the agency&#8217;s &#8220;Landing Zone DevSecOps&#8221; environment.<\/li>\n<li class=\"font-claude-response-body whitespace-normal break-words pl-2\">SSH keys, Entra ID SAML certificates, and API tokens for internal Artifactory and other development infrastructure.<\/li>\n<li class=\"font-claude-response-body whitespace-normal break-words pl-2\">CI\/CD build logs, Kubernetes manifests, ArgoCD application files, and secret-laden YAML files.<\/li>\n<li class=\"font-claude-response-body whitespace-normal break-words pl-2\">Directory names like <code class=\"bg-text-200\/5 border border-0.5 border-border-300 text-danger-000 whitespace-pre-wrap rounded-[0.4rem] px-1 py-px text-[0.9rem]\">Backup-April-2026\/<\/code>, <code class=\"bg-text-200\/5 border border-0.5 border-border-300 text-danger-000 whitespace-pre-wrap rounded-[0.4rem] px-1 py-px text-[0.9rem]\">All Backups\/<\/code>, <code class=\"bg-text-200\/5 border border-0.5 border-border-300 text-danger-000 whitespace-pre-wrap rounded-[0.4rem] px-1 py-px text-[0.9rem]\">LZ-Artifactory\/<\/code>, and <code class=\"bg-text-200\/5 border border-0.5 border-border-300 text-danger-000 whitespace-pre-wrap rounded-[0.4rem] px-1 py-px text-[0.9rem]\">Kubernetes-Important-Yaml-Files\/<\/code>.<\/li>\n<\/ul>\n<p class=\"font-claude-response-body break-words whitespace-normal leading-[1.7]\">Philippe Caturegli of <a class=\"underline underline underline-offset-2 decoration-1 decoration-current\/40 hover:decoration-current focus:decoration-current\" href=\"https:\/\/www.seralys.com\">Seralys<\/a>, who independently verified some of the exposed credentials, confirmed they were still valid and granted high-level access when tested. The repository was taken offline within roughly 24 hours of CISA being notified, but some AWS keys reportedly remained valid for another 48 hours after that.<\/p>\n<p class=\"font-claude-response-body break-words whitespace-normal leading-[1.7]\">According to Valadon&#8217;s analysis of public GitHub events, the repository was never forked. That&#8217;s a weak indicator that the data didn&#8217;t circulate widely\u2014but as he noted, external observers can&#8217;t detect clones, so an individual download can&#8217;t be ruled out.<\/p>\n<h2 class=\"text-text-100 mt-3 -mb-1 text-[1.125rem] font-bold\">The Detail That Matters Most<\/h2>\n<p class=\"font-claude-response-body break-words whitespace-normal leading-[1.7]\">Plenty of breaches happen because of accidents. This wasn&#8217;t one of them.<\/p>\n<p class=\"font-claude-response-body break-words whitespace-normal leading-[1.7]\">The contractor had <strong>deliberately disabled GitHub&#8217;s built-in secret scanning<\/strong>, the automated feature that normally blocks pushes containing what look like API keys, passwords, or credentials. The commit history reportedly showed explicit commands to bypass these protections.<\/p>\n<p class=\"font-claude-response-body break-words whitespace-normal leading-[1.7]\">This changes how the incident reads. It&#8217;s not &#8220;someone made a mistake.&#8221; It&#8217;s &#8220;someone hit a guardrail, turned it off, and kept going\u2014for six months, without anyone noticing.&#8221; Caturegli observed that this pattern\u2014developers turning off secret scanning under deadline pressure when a push fails\u2014is more common than it should be. The correct response when a secret-scanning tool blocks a push is to remove the secret from the commit, not to remove the detector.<\/p>\n<p class=\"font-claude-response-body break-words whitespace-normal leading-[1.7]\">The other detail worth noting: the contractor used both a CISA-issued contractor email and a personal Yahoo account across commits in the same repository, and the GitHub account itself was personal. That mixed-identity pattern, where work credentials and personal infrastructure get tangled together, is one of the hardest surfaces for any security team to monitor. Valadon called it &#8220;where the worst leaks happen.&#8221;<\/p>\n<p class=\"font-claude-response-body break-words whitespace-normal leading-[1.7]\">Weak password practices compounded the problem. Many of the exposed credentials reportedly followed predictable patterns\u2014platform name plus current year\u2014the kind of thing that would constitute a serious risk even on an internal-only network.<\/p>\n<h2 class=\"text-text-100 mt-3 -mb-1 text-[1.125rem] font-bold\">The Structural Problem<\/h2>\n<p class=\"font-claude-response-body break-words whitespace-normal leading-[1.7]\">The real story isn&#8217;t a contractor with bad habits. The real story is that the system around the contractor was designed to fail slowly.<\/p>\n<p class=\"font-claude-response-body break-words whitespace-normal leading-[1.7]\">Consider what would need to be true for this incident not to happen:<\/p>\n<ul class=\"[li_&amp;]:mb-0 [li_&amp;]:mt-1 [li_&amp;]:gap-1 [&amp;:not(:last-child)_ul]:pb-1 [&amp;:not(:last-child)_ol]:pb-1 list-disc flex flex-col gap-1 pl-8 mb-3\">\n<li class=\"font-claude-response-body whitespace-normal break-words pl-2\">Secret scanning enforced at the organization level, not toggleable by individual users.<\/li>\n<li class=\"font-claude-response-body whitespace-normal break-words pl-2\">Detection of contractor accounts pushing CISA material to personal repositories.<\/li>\n<li class=\"font-claude-response-body whitespace-normal break-words pl-2\">Review processes that flag the appearance of files named <code class=\"bg-text-200\/5 border border-0.5 border-border-300 text-danger-000 whitespace-pre-wrap rounded-[0.4rem] px-1 py-px text-[0.9rem]\">Important AWS Tokens.txt<\/code> in any commit.<\/li>\n<li class=\"font-claude-response-body whitespace-normal break-words pl-2\">Rotation policies that would have invalidated those credentials long before six months had elapsed.<\/li>\n<li class=\"font-claude-response-body whitespace-normal break-words pl-2\">Identity controls that prevent mixing of work and personal email addresses on commits touching sensitive code.<\/li>\n<\/ul>\n<p class=\"font-claude-response-body break-words whitespace-normal leading-[1.7]\">None of these are exotic controls. They&#8217;re standard hygiene for organizations handling sensitive infrastructure. Their absence here suggests something deeper than individual negligence: a governance gap where the responsibility for enforcing basic controls didn&#8217;t actually land on anyone with authority to enforce them.<\/p>\n<p class=\"font-claude-response-body break-words whitespace-normal leading-[1.7]\">The agency has also been operating under significant institutional strain. CISA has experienced substantial workforce reductions in recent years\u2014roughly a third of its staff, according to reporting around the incident\u2014alongside budget pressure and leadership instability. None of this excuses the failure, but it provides context for why oversight gaps may have widened.<\/p>\n<h2 class=\"text-text-100 mt-3 -mb-1 text-[1.125rem] font-bold\">Why This Connects to Email Privacy<\/h2>\n<p class=\"font-claude-response-body break-words whitespace-normal leading-[1.7]\">If you&#8217;ve read our earlier guide on <a class=\"underline underline underline-offset-2 decoration-1 decoration-current\/40 hover:decoration-current focus:decoration-current\" href=\"https:\/\/onionmail.org\/blog\/what-to-do-when-your-email-is-in-a-data-breach-and-why-you-cant-really-fix-it\/\">what to do when your email is in a data breach<\/a>, you know we&#8217;ve been blunt about one point: a breach is a permanent event. Once data is out, it&#8217;s out. The CISA incident is a high-profile example of the same principle, applied to government credentials rather than user accounts.<\/p>\n<p class=\"font-claude-response-body break-words whitespace-normal leading-[1.7]\">There&#8217;s a useful parallel here for anyone thinking about email security.<\/p>\n<p class=\"font-claude-response-body break-words whitespace-normal leading-[1.7]\">Email systems and DevOps environments handle credentials differently, but the architectural lesson is the same: <strong>when a service requires users to trust the provider with sensitive material, the provider becomes responsible for ensuring that material doesn&#8217;t leak through avoidable channels.<\/strong> That responsibility extends to how operations are structured, not just how the cryptography is configured.<\/p>\n<p class=\"font-claude-response-body break-words whitespace-normal leading-[1.7]\">What the CISA incident demonstrates is what happens when that responsibility gets distributed across contractors, personal machines, and toggleable controls. Six months of exposure is what failure looks like when no single point in the system has both the visibility and the authority to stop it.<\/p>\n<p class=\"font-claude-response-body break-words whitespace-normal leading-[1.7]\">For an email provider, the equivalent question is whether credentials, keys, and authentication tokens can ever end up in places where a single individual&#8217;s mistake exposes thousands of users. The architectural answer involves keeping plaintext material out of any system that doesn&#8217;t strictly need it, enforcing organizational-level controls on what can be pushed to external services, and minimizing the surface where mixed personal-and-work identities can blur the lines.<\/p>\n<p class=\"font-claude-response-body break-words whitespace-normal leading-[1.7]\">Onion Mail&#8217;s approach reflects some of these principles. End-to-end encrypted email is encrypted before it reaches our servers\u2014when users employ PGP, we don&#8217;t hold plaintext for those messages. PQCServer, the post-quantum messaging platform we maintain, is released under AGPL-3.0, which means the implementation is auditable rather than something users have to take on faith. These aren&#8217;t claims that operational mistakes are impossible. They&#8217;re choices about where the trust boundaries sit and how much damage a single failure can do.<\/p>\n<h2 class=\"text-text-100 mt-3 -mb-1 text-[1.125rem] font-bold\">The Practical Takeaway<\/h2>\n<p class=\"font-claude-response-body break-words whitespace-normal leading-[1.7]\">The CISA breach is a worst-case version of something that happens at smaller scales constantly. Credentials end up in places they shouldn&#8217;t be. Detectors get disabled when they&#8217;re inconvenient. Personal and work boundaries blur in ways that nobody notices until someone outside the organization does.<\/p>\n<p class=\"font-claude-response-body break-words whitespace-normal leading-[1.7]\">For individuals, the relevant lesson is the same as after any major breach: assume the data is out there, focus on limiting the blast radius, and don&#8217;t trust that &#8220;the issue has been resolved&#8221; actually means what it sounds like. The exposed AWS keys may have been rotated. The fact that they were exposed for six months is permanent.<\/p>\n<p class=\"font-claude-response-body break-words whitespace-normal leading-[1.7]\">For organizations, the lesson is harder: controls only work if they&#8217;re enforced at a level where individuals can&#8217;t bypass them under pressure. A secret scanner that any developer can disable is functionally optional. A policy nobody enforces is functionally absent.<\/p>\n<p class=\"font-claude-response-body break-words whitespace-normal leading-[1.7]\">The question raised by the CISA incident isn&#8217;t whether one contractor made a mistake. It&#8217;s why that mistake was structurally possible for six months inside an agency whose mission is to prevent exactly this kind of failure at scale.<\/p>\n<hr class=\"border-border-200 border-t-0.5 my-3 mx-1.5\" \/>\n<p class=\"font-claude-response-body break-words whitespace-normal leading-[1.7]\"><em>If you want to monitor whether your own email address has appeared in known breaches, Onion Mail includes <a class=\"underline underline underline-offset-2 decoration-1 decoration-current\/40 hover:decoration-current focus:decoration-current\" href=\"https:\/\/onionmail.org\">built-in breach monitoring<\/a> that checks against the Have I Been Pwned database without exposing your address to third parties. Status remains visible even after you change your password, because a breach\u2014as the CISA incident illustrates\u2014is not something you can really fix. It&#8217;s something you incorporate into how you operate going forward.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>A contractor for the U.S. Cybersecurity and Infrastructure Security Agency maintained a public GitHub repository containing AWS GovCloud credentials, plaintext passwords, and DevSecOps files for six months before researchers intervened.<\/p>\n","protected":false},"author":1,"featured_media":148,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[13],"tags":[181,190,179,188,186,185,183,180,187,184,182,189],"class_list":["post-149","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-tor-anonymity","tag-aws-govcloud","tag-ci-cd-security","tag-cisa","tag-contractor-security","tag-credential-exposure","tag-devsecops","tag-gitguardian","tag-github-leak","tag-government-cybersecurity","tag-nightwing","tag-secrets-management","tag-supply-chain-security"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.8 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>The CISA GitHub Leak: What Six Months of Exposed Credentials Tell Us About Systemic Security Failures - Onion Mail \u2014 Privacy, Encryption &amp; Tor<\/title>\n<meta name=\"description\" content=\"A CISA contractor left AWS GovCloud keys public for six months. The real story isn&#039;t the mistake\u2014it&#039;s why nobody caught it.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/onionmail.org\/blog\/the-cisa-github-leak-what-six-months-of-exposed-credentials-tell-us-about-systemic-security-failures\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"The CISA GitHub Leak: What Six Months of Exposed Credentials Tell Us About Systemic Security Failures - Onion Mail \u2014 Privacy, Encryption &amp; Tor\" \/>\n<meta property=\"og:description\" content=\"A CISA contractor left AWS GovCloud keys public for six months. The real story isn&#039;t the mistake\u2014it&#039;s why nobody caught it.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/onionmail.org\/blog\/the-cisa-github-leak-what-six-months-of-exposed-credentials-tell-us-about-systemic-security-failures\/\" \/>\n<meta property=\"og:site_name\" content=\"Onion Mail \u2014 Privacy, Encryption &amp; Tor\" \/>\n<meta property=\"article:published_time\" content=\"2026-05-20T15:33:27+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/onionmail.org\/wp-content\/uploads\/2026\/05\/leak-20260520.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1200\" \/>\n\t<meta property=\"og:image:height\" content=\"800\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Onion Mail\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Onion Mail\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/onionmail.org\\\/blog\\\/the-cisa-github-leak-what-six-months-of-exposed-credentials-tell-us-about-systemic-security-failures\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/onionmail.org\\\/blog\\\/the-cisa-github-leak-what-six-months-of-exposed-credentials-tell-us-about-systemic-security-failures\\\/\"},\"author\":{\"name\":\"Onion Mail\",\"@id\":\"https:\\\/\\\/onionmail.org\\\/blog\\\/#\\\/schema\\\/person\\\/165910c3149db6a9320ddae7d7a17cab\"},\"headline\":\"The CISA GitHub Leak: What Six Months of Exposed Credentials Tell Us About Systemic Security Failures\",\"datePublished\":\"2026-05-20T15:33:27+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/onionmail.org\\\/blog\\\/the-cisa-github-leak-what-six-months-of-exposed-credentials-tell-us-about-systemic-security-failures\\\/\"},\"wordCount\":1307,\"commentCount\":0,\"image\":{\"@id\":\"https:\\\/\\\/onionmail.org\\\/blog\\\/the-cisa-github-leak-what-six-months-of-exposed-credentials-tell-us-about-systemic-security-failures\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/onionmail.org\\\/wp-content\\\/uploads\\\/2026\\\/05\\\/leak-20260520.jpg\",\"keywords\":[\"AWS GovCloud\",\"CI\\\/CD security\",\"CISA\",\"contractor security\",\"credential exposure\",\"DevSecOps\",\"GitGuardian\",\"GitHub leak\",\"government cybersecurity\",\"Nightwing\",\"secrets management\",\"supply chain security\"],\"articleSection\":[\"Tor &amp; Anonymity\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/onionmail.org\\\/blog\\\/the-cisa-github-leak-what-six-months-of-exposed-credentials-tell-us-about-systemic-security-failures\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/onionmail.org\\\/blog\\\/the-cisa-github-leak-what-six-months-of-exposed-credentials-tell-us-about-systemic-security-failures\\\/\",\"url\":\"https:\\\/\\\/onionmail.org\\\/blog\\\/the-cisa-github-leak-what-six-months-of-exposed-credentials-tell-us-about-systemic-security-failures\\\/\",\"name\":\"The CISA GitHub Leak: What Six Months of Exposed Credentials Tell Us About Systemic Security Failures - Onion Mail \u2014 Privacy, Encryption &amp; Tor\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/onionmail.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/onionmail.org\\\/blog\\\/the-cisa-github-leak-what-six-months-of-exposed-credentials-tell-us-about-systemic-security-failures\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/onionmail.org\\\/blog\\\/the-cisa-github-leak-what-six-months-of-exposed-credentials-tell-us-about-systemic-security-failures\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/onionmail.org\\\/wp-content\\\/uploads\\\/2026\\\/05\\\/leak-20260520.jpg\",\"datePublished\":\"2026-05-20T15:33:27+00:00\",\"author\":{\"@id\":\"https:\\\/\\\/onionmail.org\\\/blog\\\/#\\\/schema\\\/person\\\/165910c3149db6a9320ddae7d7a17cab\"},\"description\":\"A CISA contractor left AWS GovCloud keys public for six months. The real story isn't the mistake\u2014it's why nobody caught it.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/onionmail.org\\\/blog\\\/the-cisa-github-leak-what-six-months-of-exposed-credentials-tell-us-about-systemic-security-failures\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/onionmail.org\\\/blog\\\/the-cisa-github-leak-what-six-months-of-exposed-credentials-tell-us-about-systemic-security-failures\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/onionmail.org\\\/blog\\\/the-cisa-github-leak-what-six-months-of-exposed-credentials-tell-us-about-systemic-security-failures\\\/#primaryimage\",\"url\":\"https:\\\/\\\/onionmail.org\\\/wp-content\\\/uploads\\\/2026\\\/05\\\/leak-20260520.jpg\",\"contentUrl\":\"https:\\\/\\\/onionmail.org\\\/wp-content\\\/uploads\\\/2026\\\/05\\\/leak-20260520.jpg\",\"width\":1200,\"height\":800,\"caption\":\"leak - A padlock rests on a computer keyboard.\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/onionmail.org\\\/blog\\\/the-cisa-github-leak-what-six-months-of-exposed-credentials-tell-us-about-systemic-security-failures\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/onionmail.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"The CISA GitHub Leak: What Six Months of Exposed Credentials Tell Us About Systemic Security Failures\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/onionmail.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/onionmail.org\\\/blog\\\/\",\"name\":\"Onion Mail \u2014 Privacy, Encryption & Tor\",\"description\":\"Anonymous email, PGP encryption and post-quantum security guides\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/onionmail.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/onionmail.org\\\/blog\\\/#\\\/schema\\\/person\\\/165910c3149db6a9320ddae7d7a17cab\",\"name\":\"Onion Mail\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f7d6948c15418aed2d5fc684c551bb93fe70d354338e034960230227dad93ec9?s=96&d=initials&r=g&initials=in\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f7d6948c15418aed2d5fc684c551bb93fe70d354338e034960230227dad93ec9?s=96&d=initials&r=g&initials=in\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f7d6948c15418aed2d5fc684c551bb93fe70d354338e034960230227dad93ec9?s=96&d=initials&r=g&initials=in\",\"caption\":\"Onion Mail\"},\"sameAs\":[\"https:\\\/\\\/onionmail.org\"],\"url\":\"https:\\\/\\\/onionmail.org\\\/blog\\\/author\\\/adminblogonion\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"The CISA GitHub Leak: What Six Months of Exposed Credentials Tell Us About Systemic Security Failures - Onion Mail \u2014 Privacy, Encryption &amp; Tor","description":"A CISA contractor left AWS GovCloud keys public for six months. The real story isn't the mistake\u2014it's why nobody caught it.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/onionmail.org\/blog\/the-cisa-github-leak-what-six-months-of-exposed-credentials-tell-us-about-systemic-security-failures\/","og_locale":"en_US","og_type":"article","og_title":"The CISA GitHub Leak: What Six Months of Exposed Credentials Tell Us About Systemic Security Failures - Onion Mail \u2014 Privacy, Encryption &amp; Tor","og_description":"A CISA contractor left AWS GovCloud keys public for six months. The real story isn't the mistake\u2014it's why nobody caught it.","og_url":"https:\/\/onionmail.org\/blog\/the-cisa-github-leak-what-six-months-of-exposed-credentials-tell-us-about-systemic-security-failures\/","og_site_name":"Onion Mail \u2014 Privacy, Encryption &amp; Tor","article_published_time":"2026-05-20T15:33:27+00:00","og_image":[{"width":1200,"height":800,"url":"https:\/\/onionmail.org\/wp-content\/uploads\/2026\/05\/leak-20260520.jpg","type":"image\/jpeg"}],"author":"Onion Mail","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Onion Mail","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/onionmail.org\/blog\/the-cisa-github-leak-what-six-months-of-exposed-credentials-tell-us-about-systemic-security-failures\/#article","isPartOf":{"@id":"https:\/\/onionmail.org\/blog\/the-cisa-github-leak-what-six-months-of-exposed-credentials-tell-us-about-systemic-security-failures\/"},"author":{"name":"Onion Mail","@id":"https:\/\/onionmail.org\/blog\/#\/schema\/person\/165910c3149db6a9320ddae7d7a17cab"},"headline":"The CISA GitHub Leak: What Six Months of Exposed Credentials Tell Us About Systemic Security Failures","datePublished":"2026-05-20T15:33:27+00:00","mainEntityOfPage":{"@id":"https:\/\/onionmail.org\/blog\/the-cisa-github-leak-what-six-months-of-exposed-credentials-tell-us-about-systemic-security-failures\/"},"wordCount":1307,"commentCount":0,"image":{"@id":"https:\/\/onionmail.org\/blog\/the-cisa-github-leak-what-six-months-of-exposed-credentials-tell-us-about-systemic-security-failures\/#primaryimage"},"thumbnailUrl":"https:\/\/onionmail.org\/wp-content\/uploads\/2026\/05\/leak-20260520.jpg","keywords":["AWS GovCloud","CI\/CD security","CISA","contractor security","credential exposure","DevSecOps","GitGuardian","GitHub leak","government cybersecurity","Nightwing","secrets management","supply chain security"],"articleSection":["Tor &amp; Anonymity"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/onionmail.org\/blog\/the-cisa-github-leak-what-six-months-of-exposed-credentials-tell-us-about-systemic-security-failures\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/onionmail.org\/blog\/the-cisa-github-leak-what-six-months-of-exposed-credentials-tell-us-about-systemic-security-failures\/","url":"https:\/\/onionmail.org\/blog\/the-cisa-github-leak-what-six-months-of-exposed-credentials-tell-us-about-systemic-security-failures\/","name":"The CISA GitHub Leak: What Six Months of Exposed Credentials Tell Us About Systemic Security Failures - Onion Mail \u2014 Privacy, Encryption &amp; Tor","isPartOf":{"@id":"https:\/\/onionmail.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/onionmail.org\/blog\/the-cisa-github-leak-what-six-months-of-exposed-credentials-tell-us-about-systemic-security-failures\/#primaryimage"},"image":{"@id":"https:\/\/onionmail.org\/blog\/the-cisa-github-leak-what-six-months-of-exposed-credentials-tell-us-about-systemic-security-failures\/#primaryimage"},"thumbnailUrl":"https:\/\/onionmail.org\/wp-content\/uploads\/2026\/05\/leak-20260520.jpg","datePublished":"2026-05-20T15:33:27+00:00","author":{"@id":"https:\/\/onionmail.org\/blog\/#\/schema\/person\/165910c3149db6a9320ddae7d7a17cab"},"description":"A CISA contractor left AWS GovCloud keys public for six months. The real story isn't the mistake\u2014it's why nobody caught it.","breadcrumb":{"@id":"https:\/\/onionmail.org\/blog\/the-cisa-github-leak-what-six-months-of-exposed-credentials-tell-us-about-systemic-security-failures\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/onionmail.org\/blog\/the-cisa-github-leak-what-six-months-of-exposed-credentials-tell-us-about-systemic-security-failures\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/onionmail.org\/blog\/the-cisa-github-leak-what-six-months-of-exposed-credentials-tell-us-about-systemic-security-failures\/#primaryimage","url":"https:\/\/onionmail.org\/wp-content\/uploads\/2026\/05\/leak-20260520.jpg","contentUrl":"https:\/\/onionmail.org\/wp-content\/uploads\/2026\/05\/leak-20260520.jpg","width":1200,"height":800,"caption":"leak - A padlock rests on a computer keyboard."},{"@type":"BreadcrumbList","@id":"https:\/\/onionmail.org\/blog\/the-cisa-github-leak-what-six-months-of-exposed-credentials-tell-us-about-systemic-security-failures\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/onionmail.org\/blog\/"},{"@type":"ListItem","position":2,"name":"The CISA GitHub Leak: What Six Months of Exposed Credentials Tell Us About Systemic Security Failures"}]},{"@type":"WebSite","@id":"https:\/\/onionmail.org\/blog\/#website","url":"https:\/\/onionmail.org\/blog\/","name":"Onion Mail \u2014 Privacy, Encryption & Tor","description":"Anonymous email, PGP encryption and post-quantum security guides","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/onionmail.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/onionmail.org\/blog\/#\/schema\/person\/165910c3149db6a9320ddae7d7a17cab","name":"Onion Mail","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f7d6948c15418aed2d5fc684c551bb93fe70d354338e034960230227dad93ec9?s=96&d=initials&r=g&initials=in","url":"https:\/\/secure.gravatar.com\/avatar\/f7d6948c15418aed2d5fc684c551bb93fe70d354338e034960230227dad93ec9?s=96&d=initials&r=g&initials=in","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f7d6948c15418aed2d5fc684c551bb93fe70d354338e034960230227dad93ec9?s=96&d=initials&r=g&initials=in","caption":"Onion Mail"},"sameAs":["https:\/\/onionmail.org"],"url":"https:\/\/onionmail.org\/blog\/author\/adminblogonion\/"}]}},"_links":{"self":[{"href":"https:\/\/onionmail.org\/blog\/wp-json\/wp\/v2\/posts\/149","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/onionmail.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/onionmail.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/onionmail.org\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/onionmail.org\/blog\/wp-json\/wp\/v2\/comments?post=149"}],"version-history":[{"count":1,"href":"https:\/\/onionmail.org\/blog\/wp-json\/wp\/v2\/posts\/149\/revisions"}],"predecessor-version":[{"id":150,"href":"https:\/\/onionmail.org\/blog\/wp-json\/wp\/v2\/posts\/149\/revisions\/150"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/onionmail.org\/blog\/wp-json\/wp\/v2\/media\/148"}],"wp:attachment":[{"href":"https:\/\/onionmail.org\/blog\/wp-json\/wp\/v2\/media?parent=149"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/onionmail.org\/blog\/wp-json\/wp\/v2\/categories?post=149"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/onionmail.org\/blog\/wp-json\/wp\/v2\/tags?post=149"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}