Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: cisa (3 articles)Clear

Lawmakers demand answers from CISA over GitHub credential leak; agency still hasn't rotated all exposed keys a week later

A week after CISA was first notified of credentials leaking from its Private-CISA GitHub repository, the agency is still working to invalidate and replace many of the exposed keys, according to TruffleHog creator Dylan Ayrey. On May 19, Senator Maggie Hassan and Representatives Bennie Thompson and Delia Ramirez sent letters demanding answers, noting CISA has lost a third of its workforce and almost all senior leaders to forced retirements and buyouts. An RSA private key giving full read access to every CISA-IT GitHub repository was still active when Ayrey re-tested on May 20; CISA rotated it after KrebsOnSecurity's notification, but other critical credentials reportedly remain unrotated.

Check
If you are a Federal civilian agency, check whether CISA has reissued any credentials, tokens, or runner registrations that integrate with your environment. Treat shared secrets as still potentially exposed.
Affected
Any organization that integrates with CISA's GitHub estate, GitHub Apps owned by the CISA enterprise account, or CISA-IT internal CI/CD pipelines. Federal civilian agencies are primary.
Fix
Rotate any tokens or webhooks shared with CISA-IT systems pending the agency's full remediation. Use TruffleHog or GitGuardian to scan your own GitHub estate for the same class of leak.

CISA contractor leaked AWS GovCloud admin keys and dozens of plaintext passwords on public GitHub

A contractor with administrative access at CISA, the US agency that tells everyone else how to do cybersecurity, ran a public GitHub repository called Private-CISA that exposed administrative AWS GovCloud keys, plaintext passwords in CSVs for internal CISA systems, and credentials to the agency's internal artifactory. The owner had even disabled GitHub's default secret-scanning protections. Researcher Philippe Caturegli of Seralys validated that the AWS keys still worked against three high-privilege GovCloud accounts and could have given an attacker a launchpad to deploy backdoors into CISA's internal build pipelines. CISA says it is investigating and has seen no evidence of compromise.

Check
Search your GitHub org for repos named after internal projects, scan public-fork history with TruffleHog or GitGuardian, and verify GitHub push-protection is enabled at the org level.
Affected
Any organization where individual administrators can publish secrets to public GitHub repositories and override the default push-protection settings. CISA itself was the named victim.
Fix
Enforce GitHub Advanced Security push-protection and secret scanning at the org level. Rotate any AWS keys whose hashes appear in public commits. Treat developer GitHub accounts as Tier-0 identities.

FBI and CISA warn Iranian hackers are targeting internet-exposed Rockwell PLCs at US water and energy facilities

A joint FBI/CISA advisory warns that Iranian-affiliated APT actors are actively targeting internet-exposed Rockwell Automation and Allen-Bradley programmable logic controllers across US critical infrastructure - specifically Government Services, Water and Wastewater Systems, and Energy sectors. The attacks have caused financial losses and operational disruptions since March 2026, with the FBI confirming attackers extracted PLC project files and manipulated data displayed on HMI and SCADA systems. The escalation is linked to ongoing hostilities between Iran, the US, and Israel.

Check
If you operate or support organizations with industrial control systems, check whether any Rockwell/Allen-Bradley PLCs are directly exposed to the internet.
Affected
Organizations running internet-exposed Rockwell Automation and Allen-Bradley PLCs, particularly in water treatment, energy, and government facilities. Any PLC reachable from the public internet without VPN or network segmentation is at risk.
Fix
Remove all PLC management interfaces from internet exposure immediately - these should only be accessible via dedicated OT networks or VPN. Change all default credentials on PLCs and HMI systems. Monitor for unauthorized access to PLC project files and unexpected changes to HMI/SCADA displays. Follow the joint advisory's indicators of compromise and detection signatures.