GitHub Credential Leak Highlights Cybersecurity Risks

CISA left sensitive credentials in a public GitHub repo for six months

GitHub credential leak: What happened and how it unfolded

The recent GitHub credential leak at the US Cybersecurity and Infrastructure Security Agency (CISA) demonstrates the critical importance of proper GitHub hygiene in cybersecurity. The incident came to light when a researcher from GitGuardian discovered a public GitHub repository containing plain-text passwords, private keys, tokens and secrets. These credentials were stored in files with obvious names such as “external-secret-repo-creds.yaml” and “AWS-Workspace-Firefox-Passwords.csv”.

For six months, the repository was accessible to anyone on the internet, putting sensitive production infrastructure material at risk. The repository included:

  • Tokens for internal JFrog Artifactory
  • Azure registry keys
  • AWS credentials
  • Kubernetes manifests
  • ArgoCD application files
  • Terraform infrastructure code
  • GitHub personal access tokens
  • Entra ID SAML certificates

After the leak was reported, CISA acted quickly and removed the repository within a day. According to CISA, there is currently no evidence that any sensitive data was compromised. However, the incident underscores the risks organisations face when secrets are accidentally exposed on public platforms.

Why GitHub credential leaks matter for cybersecurity

GitHub credential leaks are a significant cyber threat, as exposed secrets can lead to a range of attacks. In this case, the leaked credentials covered multiple services, making it possible for attackers to compromise infrastructure, deploy ransomware, or access confidential data.

Attack vectors enabled by exposed credentials

Each type of leaked secret unlocks a specific attack path. For example:

  • Cloud credentials: Unauthorised access to cloud resources, allowing attackers to exfiltrate data, disrupt operations or deploy malicious code.
  • API tokens: Abuse of APIs to manipulate or steal data, or trigger destructive actions.
  • Kubernetes manifests: Control over container orchestration and potential access to sensitive workloads.
  • Infrastructure code: Understanding the deployment architecture and finding further vulnerabilities.
  • Personal access tokens: Unauthorised changes to repositories, code or configurations.

In the wrong hands, these credentials could facilitate destructive attacks, ransomware deployment or persistent access to internal systems. Even if no evidence of abuse has been found, the mere exposure is a wake-up call for all organisations relying on GitHub and similar platforms.

The importance of GitHub hygiene and secret scanning

GitHub hygiene refers to the practices that ensure repositories are free from sensitive information and are properly secured. Secret scanning is a critical feature that helps detect and prevent the accidental exposure of credentials. The CISA leak reportedly included an explicit guide for disabling GitHub’s secret scanning, highlighting unsafe practices.

  • Accidentally committed backups and credentials can be easily overlooked in large repositories.
  • Plain-text passwords and keys stored in code or configuration files are a common cause of leaks.
  • Disabling automated secret scanning increases the risk of accidental exposure.

Organisations must understand that GitHub and other code repositories are not just development tools, but potential entry points for attackers if not properly managed.

How organisations can prevent GitHub credential leaks

Preventing GitHub credential leaks requires a multi-layered approach to security, combining technical controls with organisational policies. Here are key steps organisations should take:

Implement robust GitHub hygiene practices

  • Never store secrets (passwords, keys, tokens) in code repositories. Use environment variables or dedicated secret management tools.
  • Regularly review repositories for sensitive information before making them public.
  • Ensure backups and sensitive files are never committed to version control.

Enable and enforce secret scanning

  • Turn on GitHub’s built-in secret scanning for all repositories.
  • Use third-party tools to scan for credentials and secrets before code is pushed or merged.
  • Monitor scan results and act promptly to remediate any findings.

Practice rapid credential rotation and incident response

  • Have procedures to rotate credentials quickly if exposure occurs.
  • Audit all access and revoke any compromised tokens immediately.
  • Train staff on the risks of credential exposure and the need for secure coding practices.

Maintain visibility and accountability

  • Track who has access to repositories and enforce principle of least privilege.
  • Apply regular audits to check for unsafe practices like disabling secret scanning.
  • Document and review incident response steps to improve future handling.

Lessons for all organisations from the CISA GitHub credential leak

The CISA incident is not unique. Many organisations face similar risks from public code repositories, and the consequences can be severe even for highly skilled teams. The key lessons include:

  • Credential exposure can happen to anyone: Even top cybersecurity agencies are not immune to human error and poor practices.
  • Quick response is essential: The rapid removal of the repository reduced the risk, but prevention is always better than cure.
  • Secret management is a shared responsibility: Developers, IT staff and security teams must work together to maintain secure repositories.

By adopting robust GitHub hygiene, enabling secret scanning and practising rapid credential rotation, organisations can better protect themselves from the risks of credential leaks and cyber threats.

Originally reported by www.theregister.com.

Share this bulletin

About the Author

Headshot of Jonny Pelter, leading cyber security expert in the UK and CISO

Jonny Pelter

Partner

  • CIPM
  • CIPP/E
  • CISSP
  • CISM
  • CRISC
  • ISO27001
  • Prince2
  • MSc
  • BSc

Jonny Pelter

Jonny is a Founding Partner at CyPro and executive group level CISO who has worked closely with the British intelligence agencies NCSC and GCHQ.

An ex-professional rugby player and originating from KPMG and Deloitte, Jonny has a wealth of experience across numerous sectors including technology, critical national infrastructure, financial services, oil & gas, insurance, betting, pharmaceuticals and utilities.

Jonny is a leading cyber security expert in the UK, having featured on national media for his professional commentary such as BBC News, iPlayer, Telegraph and Times Radio.

View Profile
Back to Bulletins
Author
Headshot of Jonny Pelter, leading cyber security expert in the UK and CISO
Jonny Pelter
Category
Published
May 19 - 2026
Post Tags
  • credential leaks
  • cyber threats
  • github security
  • secret scanning
Cypro firewall showing robust network security
Secure your business.
Elevate your security, accelerate your growth. We take care of cyber security for high-growth companies, at every stage of their journey.
Get in touch

Related News

Exploited Vulnerabilities Overtake as Top Breach Entry Point

Shadow AI surge in the workplace: 4x increase in a year

GitHub Credential Leak Highlights Cybersecurity Risks

Fox Tempest Ransomware Signing Tool Takedown by Microsoft

Microsoft disrupts code-signing cybercrime service

Data breach compensation: PSNI staff paid £40m

Sophos: WantToCry ransomware uses SMB brute force and remote encryption

jlr cyber attack: sector risk and lessons for manufacturers

Zara Data Breach: Phishing Risks for 200,000 Customers

Foxconn Cyber Attack: Ransomware and Data Exfiltration Risks

TanStack supply chain attack exposes OpenAI API keys

Sandworm Hackers Pivot to Critical OT Assets

Chinese Spy Group Shadow-Earth-053 Exploits Exchange Flaws

UK business cyber breach rates: phishing leads the pack

Trellix data breach: source code repository compromised

cPanel 0-Day Authentication Bypass Vulnerability Explained

Cisco firewall vulnerabilities: persistent malware threat

AI-Assisted Credential Harvesting: React2Shell Server Exposed

APT28 DNS Hijacking: How Exploited Routers Enable Credential Theft

Microsoft Defender 0-Day Vulnerability: Privilege Escalation Risk

Fortinet SQL Injection Vulnerability: CISA Warning

New Research Shows the Vulnerability Exploitation Window is Shrinking Fast

BlueHammer Windows Defender Exploit: Understanding the Threat

AI Phishing Attacks: Unravelling the New Age of Deceit

Axios NPM Supply Chain Attack: What Happened and How to Respond

Cisco Firewall 0-Day: What You Need to Know About This Ransomware Threat

Citrix NetScaler Vulnerability: What You Need to Know

Chrome Remote Code Execution: What the Latest Security Update Fixes

Cisco SD-WAN Vulnerabilities: What Professionals Need to Know

Understanding the Microsoft SharePoint Vulnerability and Its Risks

Chrome Remote Code Execution: 8 Vulnerabilities Fixed in Urgent Update

CyPro Cookie Consent

Hmmm cookies...

Our delicious cookies make your experience smooth and secure.

Privacy PolicyOkay, got it!

We use cookies to enhance your experience, analyse site traffic, and for marketing purposes. For more information on how we handle your personal data, please see our Privacy Policy.

Schedule a Call