‘The Worst Leak That I’ve Witnessed’: U.S. Cybersecurity Agency Leaves Its Digital Keys Out in Public on GitHub
https://gizmodo.com/the-worst-leak-that-ive-witnessed-u-s-cybersecurity-agency-leaves-its-digital-keys-out-in-public-on-github-2000760330Open linkView original on reddthat.com816
Comments100
vibe code go brrrrrrr
EDIT: wow it's far worse, it was a single contractor that decided that his convenience was above any and all security recommendations ever written. Pure. Genius!
Leaving passwords in plaintext has zero to do with “vibe coding”
It definitely can if an LLM did it.
I agree and to expand the same point. Even if the llm didn't do it, it's entirely plausible the LLM recommended it and the dev just drank that coolaid
yeah, and this is why I edited my original post after reading the article.
Only the best people
You know what's ironic? FedRAMP rules dictate that Thou Must Scan Thy Repos for Secrets (tokens, passwords, etc)
GitHub, ButrBucket, etc all have this out of the box for enterprise customers
https://support.atlassian.com/bitbucket-data-center/kb/how-to-scan-for-and-remove-passwords-or-secrets-in-bitbucket-server-repositories/
Contractor, eh?
How much do you wanna bet he has close personal ties to the trump family and zero cybersecurity experience?
Six months of exposure.
There is zero chance that the CISA systems have not been comprehensively breeched by every foreign adversary.
Good thing Trump cut 1/4 of their workforce last year. It's really paying dividends for Putin.
that chain saw is not at the correct height
It's only...what, about half a metre too high ?
It doesn't seem to have kickback brake, so it kinda is. It just should be running on full speed and hit something on the tip.
Bye Elon!
his peepee already no worky.
All going to plan, comrade
Breached? But we left the keys in the ignition and the door was wide open. We could have, you know, tried.
reminds me of when i lived in nashville and there had to be news bulletins reminding people to not leave firearms in their cars, as they were getting stolen.
For a moment, I chose to imagine the danger was that your unattended firearm would steal your unattended car.
that’s a new model s&w lol.
we could not have done shit.
jesus christ
This regime has caused so much damage to our national security, much of which we won't discover for years or decades. The Russians and Chinese (and literally anyone else) are probably fully infiltrated into our entire system in every aspect. SO fucking incompetent and corrupt.
We’re barely even trying with the massive cuts to cyber security. It’s almost the exact playbook you would use if leadership were actively hostile.
Trump and co are actively hostile to the US government though. There have been entire books written about how compromised he is. He's the perfect insider threat example: in debt to foreign powers, selfish and looking to make personal money, lies about his dealings, easily temptable with honeypot women (and Epstein girls, fucking sick), no allegiance or any form of duty to country or anything bigger than himself because he's a massive nihilist narcissist.
Really really scary times for anyone in America.
Don't worry, soon the folks in charge will come to the inevitable conclusion that the government systems are all compromised, so clearly the only solution is to privatise them and have thevNSA run by Palantir.
you joke... but that's literally the plan. Thiel, Musk, Andreeson, Horowitz, and the rest of the Yarvinites are trying to consume as much of the government and state power as possible.
See, that's the thing. I always grew up with the phrase "Don't blame on malice what can be explained by incompetence".
But at a certain point, IS it incompetence anymore??? At this point it's starting to feel very very deliberate.
In this case it is both malice and incompetence acting together to create the worst possible outcomes.
They are hostile, their mission is to destroy us
We're also creating generations of new enemies and potential "terrorists".
And Democrats will inevitably be blamed when they attack us in the future.
I think we're headed towards a Troubles type scenario. Like a decade or more of stochastic terrorism, some organized groups, lots of violent suppression by the government, and further corporate capture of the state. I guess that's just the fascist end goal.
But wait
This is shameful incompetence. Just head-rolling abysmal incompetence. These are the people they hired, for all you 1337 hax0rz currently looking.
As a dev who’s been unemployed for 18 months your last sentence was pretty much my first thought when reading the article.
Sorry, I hear ya. You are so not the only one either. Hang in there. Hey - this place may have some open positions soon?
Outside of the sheer incompetence of this administration, is there ANY chance this was done intentionally as a honeypot or something along those lines?
The fact that the commits were explicit along with bypassing all the checks could read as someone trying to see who knocks on the door.
I don’t see it. Like the guy in the article said, it starts out looking like a joke . . . Buuuut it ain’t.
Not a honeypot. Treason.
ELIT please.
Explain like im Trump in case you didn't get the T bit. Sorry.
Our best and finest left the safe combo next to the safe and then left for 6 months.
Best and finest indeed. Thanks for the dumbing down for me.
Woke computer nerds fucked us
Edit: just to reassure the more anxious amongst us, I mean ‘woke’ in the maga sense of anything-i-don’t-like-is-woke. Not actually woke.
Actually woke computer nerds observe proper security protocols ffs.
Unfortunately you can’t ironically pretend to be a dumb asshole on the internet because you become indistinguishable from the actual dumb assholes
Poe’s law binds us all
Beautiful, woke computer nerds, and they're gonna replace nuclear. My uncle, he was a nuclear woke, and he said, he said you know what, computers are the future, they're gonna replace nuclear. He dosen't have the socks for it, and the electronic wokes, they have these socks that just make the computer work for them, ok, the computer works for them. The computers will work for the nuclear.
“Mistake”. Yeah, no. That’s someone thinking policies aren’t meant for them and blindly taking the easiest path. Sounds just like those 1337 hax0rs they gave the keys to
In a sane world this should get clearances revoked so they never again deal with any private data
GitHub gets autoscanned by thousands of malicious actors for keys and credentials on every commit, including the comments lol.
The fact that CISA themselves never saw an automated breach attempt only minutes after pushing to github is the more interesting story here.
Either the contractor is so incompetent that they didn't have any logging set up and the breach went completely unnoticed for 6 months.
Or this really is some fat honeypot that they won't admit is a honeypot because they've been using it to watch or bait APTs.
This is literally impossible unless it really was a honeypot. You can demo this yourself in real time. Make a throwaway cloud account on your favorite provider, commit the cloud auth token into a repo, and you will see an automated bot login within minutes.
Commiting any secrets to a public repo should just be considered auto compromised because of how potent it is.
That stuff ususlly gets exposed via poor CI/CD permissions where credentials are required, but straight up file commit is like publicly announcing exactly where you left your house keys lol.
Can confirm, with one of my first discord bots I accidentally committed the token and within a day someone logged in and announced in every server it was in that the token was compromised
Based greyhat
My first thought was that sounds intentional..
Straight up file committing is like making a copy of your house keys for anyone who can see you at that moment and all moments thereafter lol
Here's a link to the Krebs on Security article that Gizmodo used as a source: https://krebsonsecurity.com/2026/05/cisa-admin-leaked-aws-govcloud-keys-on-github/
Imagine fucking up so bad security researchers think it must be an obvious honey pot until they see what the credentials give access to
This isnt a leak. This is incompetency.
"Store gets robbed after owner leaves door wide open at night"
"Store owner invited robbers at night to steal their own goods" is how this article would word that
Why are people acting surprised? This is exactly what DOGE intended to do.
This is like being surprised someone died in a fatal car accident after their wheel came off on the highway because they handed a wheel and lug nuts to a 10 year old and said "put this on"
10 yr olds are allowed to work on cybertrucks?
Who knows what happens in Chinese factories?
"Leak"
Not exactly a B&E if I leave my keys where others can use them
That's a fire hydrant strength jet of piss.
Is this the same cybersecurity agency that fired all its professionals to replace them with sycophants?
Its dumb shit like this that reassures me that AI will definitely take over cyber security jobs and make shit even LESS secure than everything already is.
the few who will stay sharp will have endless job security
You'll have a history of pushing back so they'll regard you as a potential problem employee.
good luck with picking and choosing after brainrot as a service does irreparable damage
Governments and corporations are made up of people, and when people see other people treated like garbage, they tend to become less diligent in their own duties, and loyalty is thrown out the window. Revenge is never off the table.
Also, even if you get rid of everybody so that no witnesses of your injustice remain, you've filled those positions with neophytes, who are incompetent for quite some time (at least).
that's the notorious "double whammy catch-22 fuck around find out" phenomenon, a TRIPLE THREAT
We could just burn everything down and return to jungle law where the fascists will realize really quick how coddled they’ve been in life
Wow. Wowowowowowowowow. Wow.
It was super easy! Barely an inconvenience!
This is the only logical reaction, honestly 🤣
that's, uh... that's bad, right?
well, its not good
Unless you're China.
Mmmmm . . Nnno, i don’t have that one. Oh - there’s a “Ghyynah”, is that it?
OMG
I'm surprised whatever software the keys were for didn't detect this and deactivate the keys. Discord did this automatically when I pushed a file to github that had a bot login token in it. Apparently Discord constantly scans github for such things, or maybe github does and sends Discord a msg, I dunno. But it was amazingly fast, like within 2 minutes.
that feature was probably deactivated, just like the feature on github which prevents uploading of SSH keys that had been explicitly disabled
No, I just checked - it's part of github's "Secret Scanning", which checks pushes for secret values and notifies partner services (like Discord) to deactivate them.
U.S. Cybersecurity Agency == Chat_gipity_techno_turds or short version doge_after_birth... like top jorb in the land man...or should be. Always running from or running to. Constipation or diarrhea
Fast. Cheap. Good.
At best, pick 2.
This applies to code and coders as well, despite management's inability to comprehend reality.
And, when mainstream media periodically interviews republican congressmen who happen to be opposed to the Trump admin’s latest corruption/idiocy, why the hell do they never ask “Since you’re against these illegal/irresponsible actions… what the flying F are you gonna do about it?”
Defund DHS.
...but remember, everything needs to be written in memory safe languages to stop security breaches.
"I might get mugged in a dark alley, so why should I bother locking my door at home?"
Security breeches stop your phone falling out while riding a horse.
huh, so they've never used npm?
Honeypot?
A container of sweet stuff that you get stuck in.
Basically, a system full of juicy looking data that takes forever to collect and process... And then it was all fake data the whole time.
Plus, you can hide some real info, like the name of the machine compromised, or info about the attacker's system in the data, and then when it gets compromised, sold on the black market, and eventually published, you can reference the leaked data to see exactly which system the hackers got into, and get some insights on how they did it.
Passwords were a mistake.
Government contractors were a mistake
What are the odds this was AI related vs some underpaid intern
This was a dev who wanted to sync data between their home and work computers so they could do check-ins from home. This is a combination of a lazy person who values their own ease of use over basic security practices, plus a government contractor who values making as much money as possible by paying shitty devs without any real oversight over those shitty devs, plus an oversight government entity that had its funding slashed by people who only understand cutting money as opposed to national security.
Nothing can beat real organic stupidity
I’m sure that will be an excuse but no, this was lazy-ass we-dont-wanna incompetent garbage devs.
Odds are neither and it’s a “plausibly deniable” attack.
Or worse, both