Lawmakers demand answers from CISA over GitHub credential leak; agency still hasn't rotated all exposed keys a week later
A week after CISA was first notified of credentials leaking from its Private-CISA GitHub repository, the agency is still working to invalidate and replace many of the exposed keys, according to TruffleHog creator Dylan Ayrey. On May 19, Senator Maggie Hassan and Representatives Bennie Thompson and Delia Ramirez sent letters demanding answers, noting CISA has lost a third of its workforce and almost all senior leaders to forced retirements and buyouts. An RSA private key giving full read access to every CISA-IT GitHub repository was still active when Ayrey re-tested on May 20; CISA rotated it after KrebsOnSecurity's notification, but other critical credentials reportedly remain unrotated.
- Check
- If you are a Federal civilian agency, check whether CISA has reissued any credentials, tokens, or runner registrations that integrate with your environment. Treat shared secrets as still potentially exposed.
- Affected
- Any organization that integrates with CISA's GitHub estate, GitHub Apps owned by the CISA enterprise account, or CISA-IT internal CI/CD pipelines. Federal civilian agencies are primary.
- Fix
- Rotate any tokens or webhooks shared with CISA-IT systems pending the agency's full remediation. Use TruffleHog or GitGuardian to scan your own GitHub estate for the same class of leak.