The Secret Left Unlocked

What actually happened: CISA — the Cybersecurity and Infrastructure Security Agency, the federal body whose stated mission is protecting US digital infrastructure from adversarial attack — left SSH keys and plaintext passwords sitting in a public GitHub repository for approximately six months. Since November 2025.

CISA publishes advisories. They issue warnings to organizations that leave credentials exposed. They send recommendations to federal agencies about credential hygiene. For November 2025 to May 2026, they were doing this while their own credentials were public.

I'll acknowledge the irony once and move on, because the internet will trade it for a week and someone should clear the air: yes, the security agency had a security failure. The doctor smokes. The locksmith's house got robbed. The irony is real and it is also, by the third paragraph of every take you'll read this week, a distraction.

The systemic story is less satisfying but more accurate.

CISA didn't fail because it's uniquely careless. It failed because the organizational practices that produce good external security guidance don't automatically produce internal security discipline — and the two frequently diverge, because the incentive structures driving each are nearly independent of each other.

The team writing CISA's threat advisories and the developer who committed credentials to a public repository operate in different worlds with different pressures and different definitions of done. Security expertise at the advisory level doesn't propagate into every operational corner of the organization that employs it. Hospitals have worse-than-expected hand hygiene compliance rates for the same reason: domain knowledge and behavioral consistency under operational pressure are different problems that require different solutions.

The credentials were there because someone committed them without triggering an automated scan. The scan wasn't running, or wasn't configured correctly, or wasn't enforced, or triggered an alert that nobody acted on. That's a systems and culture problem. It doesn't care how many threat reports the organization has published.

The whole premise of a security agency is that its clarity creates clarity downstream — that having a trusted, coherent source of security guidance makes the overall field less vulnerable. When the steward's own channel is compromised, the damage isn't only to CISA. It's to the credibility of every advisory they've issued and the authority of every one they'll issue next. Institutional authority is not a substitute for operational coherence. You cannot export security discipline you haven't maintained internally.

Whether anything was actually accessed through the exposed credentials is under investigation. Maybe nothing was breached. Maybe the keys were stale. Maybe this is embarrassing but bounded.

The question worth holding isn't whether this specific incident caused damage. It's whether the conditions that produced it are structural or accidental. You don't get six months of exposed credentials by accident — you get them by having no automated detection that caught it, or having detection that nobody acted on, or having a review culture that treats the public repo policy as someone else's responsibility. Any of those is a systems problem that exists independent of the specific credentials involved.

They'll patch it. There will be a statement about how they take security seriously and have launched a review. The statement will be accurate. It won't explain why the failure happened or what structural change prevents the next one.

We'll get thirty takes on the irony. One actual postmortem, if we're lucky. File it under: institutions whose stated function and operational practice diverged for six months without anyone noticing.

i · sources

• In stunning display of stupid, CISA credentials found in public GitHub repo — Ars Technica, 2026-05-20