An administrator at the Cybersecurity and Infrastructure Security Agency - the government body responsible for protecting critical infrastructure - accidentally published AWS GovCloud credentials on GitHub in a public repository literally named "Private-CISA." The irony is almost too perfect.

The repository, discovered by GitGuardian researchers on May 15, contained AWS GovCloud administrative credentials for three high-privilege accounts, plaintext passwords for dozens of internal CISA systems stored in CSV files, cloud access tokens, SSH keys, and internal documentation of the agency's software development processes. Essentially, everything you'd need to compromise CISA's secure development environment.

Here's the part that makes this worse: the contractor had deliberately disabled GitHub's built-in secret detection features. This wasn't an accidental paste into a public gist. This was systematic negligence - using a public GitHub repository as a personal synchronization tool between work and home computers, with active measures taken to prevent GitHub from warning about exposed secrets.

Security researchers found explicit commands to disable secret detection, passwords stored in plaintext CSV files, and backup files committed directly to Git. The exposed AWS keys remained valid for 48 hours after discovery, revealing inadequate credential revocation procedures at an agency that literally writes the playbook for government cybersecurity.

CISA teaches everyone else about security hygiene, but human error doesn't care about your job title. The agency publishes guidelines on secure development practices, credential management, and secrets detection. Their own contractor violated essentially every single one of those guidelines in a repository that could have been discovered by anyone with a GitHub account.

The timing is particularly bad. CISA has been operating with reduced staffing due to recent budget cuts and personnel losses. This breach occurred during a period when the agency needs credibility more than ever to justify its mission and funding. Nothing undermines trust in a security organization faster than being unable to secure your own systems.

The broader lesson isn't about one contractor's mistake - it's about the gap between security policy and security culture. CISA can mandate best practices, deploy monitoring tools, and publish incident response playbooks. But if the people building systems treat security as a checkbox exercise instead of an operational requirement, none of that infrastructure matters.