CISA Left Its Own Passwords on GitHub for Six Months

TL;DR - CISA, the US government agency whose job is telling other organisations how not to get hacked, left a folder of AWS GovCloud admin passwords sitting in a public GitHub repository for six months. In the same week, GitHub itself got breached through a single bad VS Code extension on an employee's laptop, and a worm called Mini Shai-Hulud poisoned more than 300 open-source packages that millions of websites depend on. What you need to do: assume your email and an old password are in someone's database, get a password manager, turn on MFA on your email and your bank, and stop installing browser extensions you don't actually need.

By The Numbers

What	Number
Months the CISA repo sat publicly visible on GitHub	~6
Plaintext passwords and AWS tokens in the CISA dump (Cybernews)	~844 MB
Private GitHub repositories stolen in the May 20 GitHub breach	~3,800
Asking price for the stolen GitHub source code on dark web	$50,000+ USD
Malicious npm package versions published in a 22-minute burst	600+
Weekly downloads of one of the worm-infected libraries (echarts-for-react)	1,000,000+
Threat group linked to both the GitHub breach and the npm worm	TeamPCP / UNC6780

The week the secret-keepers lost their own secrets

I read a lot of security news. Most of it makes me sigh, bookmark it, and move on. The week of 18 May made me put my coffee down twice.

The first time was when I read that the Cybersecurity and Infrastructure Security Agency - America's CISA, the people whose entire job is telling organisations how not to be hacked - had a contractor who left a public GitHub repository sitting online for roughly six months. The repository was called "Private-CISA". It contained, among other things, a file literally named importantAWStokens and another called AWS-Workspace-Firefox-Passwords.csv with plaintext usernames and passwords for dozens of internal CISA systems. A researcher at GitGuardian who scans public code for accidentally-exposed secrets, Guillaume Valadon, told Brian Krebs it was "the worst leak that I've witnessed in my career." That is not a sentence you say lightly when your job is finding leaks.

The second time was two days later, when GitHub itself - the place where the world stores its source code - confirmed that an attacker had walked out with around 3,800 of its own internal repositories. Not customer data. Their own private code. The entry point was a single employee laptop and a single malicious VS Code extension.

And that was the same week that a worm called Mini Shai-Hulud, named after a Dune monster because security researchers have a sense of humour, compromised more than 300 open-source packages on npm in a 22-minute automated burst. One of those packages alone has more than a million weekly downloads. Everything downstream of those libraries - which is to say, an enormous portion of the modern web - now has to assume it might have been touched.

Three stories. Five days. Different victims, different attackers, different mechanisms. But if you read them in order, they tell the same story. The people who are supposed to be holding the keys are losing them.

Let me walk you through what happened, why all three matter even if you have no idea what npm is, and the one thing you should actually do about it this week.

---

The CISA leak: six months of keys in the open

Start with the simplest of the three. A contractor working for CISA created a personal-looking but professionally-used GitHub account and pushed a repository called Private-CISA. The word "private" in the name was apparently aspirational. The repository was public from late November 2025 until 15 May 2026, when GitGuardian flagged it and CISA scrambled to take it down.

What was in it would be funny if it were not so awful. According to Cybernews, the dump contained around 844 megabytes of plaintext passwords and AWS tokens. There were administrative credentials to three Amazon AWS GovCloud servers - the segregated AWS environment used for sensitive US government workloads. There was a file called importantAWStokens. There was another, called AWS-Workspace-Firefox-Passwords.csv, that simply listed usernames and passwords for dozens of internal CISA systems in a spreadsheet, the way you would list your shopping. The commit history showed the contractor had disabled the default GitHub setting that warns when you are about to publish a credential.

For six months any researcher, journalist, or attacker who happened to look could have walked into CISA's GovCloud environment with the credentials of a privileged administrator. We do not yet know publicly whether anyone besides the GitGuardian researcher did look. That answer will arrive later, in a way nobody is going to enjoy.

The lesson here is not that CISA is uniquely incompetent. The lesson is that the discipline required to never put a password in a place a password should not be is brutally hard to maintain, and that the people whose entire job is reminding the rest of us to be careful are still human, still rushed, still working on a Friday afternoon, and still capable of treating a CSV of passwords like an Excel report.

GitHub itself: one bad extension, 3,800 repositories

The second story is harder to wave away as "well, that was a contractor".

On 20 May, GitHub confirmed an unauthorised access incident affecting its own internal repositories. The entry point was a single GitHub employee's device, which had been compromised by a malicious version of a Visual Studio Code extension - one of the little add-ons that millions of developers install daily to add features to their code editor. The attacker, a group calling itself TeamPCP and tracked by the threat-intelligence community as UNC6780, used that single foothold to access and exfiltrate the source code of around 3,800 of GitHub's own private repositories.

GitHub is, in plain terms, where the internet keeps its source code. Almost every modern company, including the ones holding your medical records, your tax data and your bank balance, stores their code there. The customer repositories were not breached - GitHub has been clear about that. What was stolen was GitHub's own internal code. The attacker is currently advertising it on dark web forums for $50,000, looking for buyers.

There are two lessons in this one. The first is for people in technology: every single VS Code extension you have ever installed is running with the same permissions you have. The "let me give it five-star reviews and a thousand fake downloads" attack on extensions works, and a bad extension on a developer's laptop is one of the cheapest ways into a company.

The second lesson is for everyone: the company that holds the source code for your bank's mobile app just admitted that one bad download on one laptop got an attacker into their internal systems. That is the level of fragility we are operating at.

The npm worm: how a chart library you have never heard of touches your week

The third story is the most technical and, paradoxically, the one that probably touches your daily life the most.

npm is the world's largest software library. When a programmer wants to add a feature - a chart on a webpage, a date picker, a way to format numbers - they download a package from npm. Their code now depends on that package. That package depends on other packages. Your bank's website probably depends on hundreds of npm packages, even though your bank wrote none of them.

On 19 May 2026, a worm dubbed Mini Shai-Hulud automatically published more than 600 malicious package versions across 323 npm packages in a 22-minute burst, according to Microsoft Security Research and Snyk. Among the worm's victims was the Alibaba AntV data-visualisation ecosystem, including echarts-for-react - a library that pulls more than a million weekly downloads and is buried inside dashboards used by everyone from start-ups to enterprise customer-portals.

Every developer who ran npm install while the worm-infected versions were live on the registry briefly ran a piece of obfuscated JavaScript designed specifically to steal credentials from GitHub Actions, the build system that companies use to deploy code. Those stolen credentials then let the worm spread further, propagating itself through the ecosystem. The same TeamPCP group attribution links this attack to the GitHub breach above. Same group, same week, two of the three biggest software-supply-chain failures of the year so far.

If you used a website powered by any of those packages last week, and the company running it has not yet rotated all of its build secrets and audited what came out of their CI pipeline, your interaction with that website may already be sitting somewhere it should not be.

What all three have in common: secrets in places secrets should not be

If you read the three stories side by side, the thread becomes obvious.

In each case, the failure was not a sophisticated attacker breaking a sophisticated defence. The failure was a privileged secret - a password, a token, a credential, a private repository - ending up somewhere it had no business being. A public GitHub repo. A compromised laptop. A poisoned npm package.

Once a secret is in a place a secret should not be, attackers no longer need to be clever. They just need to be patient. They scan the places where mistakes accumulate, they collect what falls out, and they sell it.

Once a secret is in a place a secret should not be, attackers no longer need to be clever. They just need to be patient.

This is the actual state of the modern attack surface. Not the movie version with the hooded figure typing furiously. The boring version: someone, somewhere, forgot to flip a default switch in GitHub, or installed an extension they did not need, or pushed a package to npm with credentials still hard-coded inside. And the criminal economy is now industrialised enough that scanning for those mistakes is automated, profitable, and continuous.

You are downstream of all of it.

---

Why this could actually be good

Three stories of failure in five days is bleak. But it is also the kind of bleak that forces movement.

CISA having to issue a press release explaining that its own contractor leaked its own keys is the kind of public humiliation that drives policy. Expect mandatory secret-scanning to be added to the federal contractor baseline within the year. Expect the next CISA contracting RFP to have an entire annex about credential hygiene that did not exist a month ago.

GitHub admitting that a malicious VS Code extension walked into its internal network is the kind of story that ought to push every developer-tools vendor to revisit how extensions get reviewed and signed. The marketplace model where "we trust the publisher unless someone complains" is a 2012 model in a 2026 threat environment. This is the public moment that breaks it.

The npm worm hitting the @antv ecosystem is the third loud signal in a year (Shai-Hulud last August, the s1ngularity attack on Nx in September, this one in May) that the dependency model the web is built on needs more than reactive scanning. Expect a serious push toward provenance-by-default - knowing exactly who published every line of code in your dependency tree - over the next twelve months.

The story that emerges in twelve months will not be "the year cybersecurity collapsed". It will be "the year the cracks got loud enough that the response stopped being optional". Three big public failures in one week is the forcing function that quiet, slow rot never quite produces.

What you should do this week

You are not CISA. You are not GitHub. You do not run a build pipeline that pulls 4,000 npm packages. But all three of these stories make your life more dangerous in the same specific way: more of your usernames, your passwords, and your data are sitting in datasets that bad actors are happy to use against you.

Here is the action list, in order of how much it actually protects you.

1. Check Have I Been Pwned. Go to haveibeenpwned.com, put in your main email, and look at the list of breaches it appears in. If it is there - and it almost certainly is - that is the list of services where you should assume your old password is in someone's database. Use the same site to check your secondary emails and your partner's. This takes five minutes and is the most important five minutes of your week.

2. Get a password manager and stop reusing passwords. This is the single biggest thing you can do. Every leak like the CISA one, every breach like the GitHub one, ends with attackers trying the leaked passwords against every other service the same email touches. If your bank password is also your old MySpace password is also your work password, one leak ends everything. If every site has a unique password generated by 1Password, Bitwarden, or your phone's built-in keychain, one leak ends nothing.

3. Turn on MFA on your email and your bank. Multi-factor authentication, the thing where you also have to type in a code from your phone, is the difference between "the attacker has my password" and "the attacker is locked out anyway". Do it on your email first - your email is the master key to every other account, because it is where the reset links go. Then your bank. Then everything else, over the course of a quiet Sunday.

4. Be skeptical of every "install this free thing" download. The GitHub breach started with one bad VS Code extension. The npm worm hides inside libraries you have never heard of. The same logic applies to your browser. Every browser extension you have installed is running with the permissions of your browser, which is to say, it can read every page you visit, including your banking session. Open the extensions page in your browser right now, and uninstall anything you do not actively use. The fewer doors, the fewer ways in.

None of this is exciting. But it works.

Key Takeaways

• The cybersecurity agency leaked its own passwords on GitHub for six months. A CISA contractor left AWS GovCloud admin keys in a public repo called Private-CISA, with files literally named importantAWStokens. A GitGuardian researcher called it the worst leak he has seen.
• GitHub itself was breached the same week via a single bad VS Code extension on an employee's laptop. Around 3,800 internal repositories were exfiltrated; the attacker (TeamPCP) is selling them on dark web forums for $50,000+.
• A worm called Mini Shai-Hulud poisoned 300+ npm packages in 22 minutes, including libraries with 1M+ weekly downloads. Linked to the same TeamPCP group as the GitHub breach.
• The common thread is secrets in places secrets should not be. Public repo. Personal laptop. Poisoned dependency. None of it required sophistication, just patience.
• Your defence is unique passwords plus MFA on the accounts that matter. A password manager makes that practical. Have I Been Pwned tells you which leaks already include your email.
• Treat every browser and editor extension as if it can read everything you do because it can. Uninstall what you do not actively use.

Frequently asked questions

What is CISA and why does this leak matter to me?

CISA is the Cybersecurity and Infrastructure Security Agency, the US government body that issues guidance to organisations - including private companies - on how to defend themselves. The fact that one of its contractors pushed a folder of CISA passwords to a public GitHub repository for six months matters to you because if the agency telling everyone else to be careful cannot maintain that discipline, the assumption "my data is safe at organisation X because they will do the basics right" no longer holds. The actually-rational assumption is that some of your data is already exposed at some organisation you have never thought about. That changes what you should do at home.

What is GitHub and how can it get hacked when it stores everyone else's code?

GitHub is the world's largest code-hosting service - owned by Microsoft since 2018 - where almost every modern company stores the source code for its apps and services. The breach disclosed on 20 May 2026 did not touch customer repositories. What was stolen was GitHub's own internal code. The entry point was a single GitHub employee's laptop, which had been compromised by a malicious version of a Visual Studio Code extension. One person, one extension, 3,800 internal repositories gone.

Was my data stolen in any of these three incidents?

Probably not directly. The CISA leak exposed CISA's own administrative credentials, not citizens' personal data. The GitHub breach exposed GitHub's internal source code, not customer data. The npm worm stole build-system credentials from companies that compiled software using poisoned packages - not user data directly. The risk to you is indirect: if any of the affected companies fail to rotate their credentials, downstream services you use could be compromised in the coming weeks. The defensive move is the same either way: unique passwords, MFA on critical accounts.

What is the Mini Shai-Hulud npm worm?

It is an automated piece of malware that compromised the npm publishing accounts of legitimate open-source maintainers, then used those accounts to publish booby-trapped versions of their packages. The booby-trapped versions, when installed by a developer, ran obfuscated code that stole secrets from the developer's build pipeline. The May 2026 wave hit the AntV ecosystem (Alibaba's chart-drawing libraries) including echarts-for-react, which has more than a million weekly downloads. Microsoft, Snyk and Wiz all have detailed write-ups linked in Further Reading below.

Should I delete my GitHub account, npm packages, or anything else?

No. The fix is not to abandon the tools, it is to assume credential exposure and behave accordingly. Rotate work passwords. Turn on MFA. Use a password manager. Stop installing extensions you do not need. The vast majority of the population was not directly touched by any of these three incidents; the population that is now slightly more at risk is everyone, because the criminal datasets just got fatter.

Why is the same group (TeamPCP) behind two of three?

Because attacking the suppliers of software is enormously more profitable than attacking individuals. One npm package compromise can give the attacker secrets from thousands of companies that pulled the package. One developer-tool compromise (the VS Code extension that hit GitHub) can give the attacker access to GitHub's entire internal codebase. The economics of attacking upstream are extraordinary, and a moderately skilled criminal team can run multiple supply-chain operations in the same week without breaking a sweat. Expect more of this in the rest of 2026.

My take

For a decade, the unspoken contract between large software vendors and the rest of us has been roughly: "we will keep your data safe in exchange for your trust, and the occasional breach is a tax we will all absorb." That contract is bending.

What we got in five days in May was three different proofs that the people we entrust with secrets cannot reliably keep them. Not because they are bad at their jobs - the people inside CISA, GitHub and the npm ecosystem are some of the most capable security operators alive. The system itself is now too complex, too fast-moving, too dependent on individual humans making the right call on a Friday afternoon, for "trust the vendor" to be a workable strategy.

The shift, slowly, is toward "trust nothing by default, verify everything you can, and assume any specific organisation will fail at least once". That is a more honest place to be. It is also one most ordinary people are not equipped to live in - which is exactly where security people like me are needed, because the answer is not for everyone to become a cryptographer. The answer is for the defaults to get a lot smarter, and for the things we ask each other to do at home to stay simple. Unique passwords. MFA on what matters. Stop installing things you do not need.

The good news is that those three habits are achievable in an hour. The bad news is that hour is overdue.

---

Mathew Clark Founder, SecureInSeconds Currently: helping my mother-in-law explain to her bank why she needs MFA on the joint account.

---

Further Reading

• Krebs on Security: CISA Admin Leaked AWS GovCloud Keys on Github - the original reporting on the CISA leak, including the GitGuardian researcher's full account.
• Gizmodo: 'The Worst Leak That I've Witnessed' - U.S. Cybersecurity Agency Leaves Its Digital Keys Out in Public - mainstream coverage with the researcher quote in context.
• Cybernews: CISA embarrassed by GitHub leak of passwords, AWS tokens - includes the 844 MB figure and file-name detail.
• The Hacker News: GitHub Breached - Employee Device Hack Led to Exfiltration of 3,800+ Internal Repos - the GitHub breach, with TeamPCP attribution.
• Microsoft Security Blog: Mini Shai-Hulud - Compromised @antv npm packages enable CI/CD credential theft - the technical breakdown of the worm.
• Snyk: Mini Shai-Hulud Hits AntV - 300+ Malicious npm Packages - dependency-chain analysis.
• Have I Been Pwned - check whether your email appears in known breaches. Use this today.
• Internal: BitLocker Bypass: Is Your Laptop Safe? - what to do if you are worried about local data on a stolen device.
• Internal: The Canvas Breach: Stop the Spam - the most recent companion piece on breach-derived spam and what to expect in your inbox.