CISA Contractor Exposes Highly Sensitive Credentials in Public GitHub Repository
A contractor for the Cybersecurity and Infrastructure Security Agency (CISA) inadvertently exposed highly privileged credentials and internal system details in a public GitHub repository, marking one of the most severe government data leaks in recent history. The repository, named "Private-CISA," was flagged on May 15 by security researcher Guillaume Valadon of GitGuardian after the account owner failed to respond to automated alerts about exposed secrets.
The leaked files included administrative credentials for three AWS GovCloud accounts, plaintext passwords for dozens of internal CISA systems such as the agency’s secure code development environment (Landing Zone DevSecOps) and access tokens for CISA’s internal artifactory, a repository of software packages. Security experts confirmed the exposed credentials were valid and could have allowed attackers to move laterally within CISA’s infrastructure, potentially embedding backdoors in software builds.
The repository, maintained by a Nightwing contractor, contained poor security practices, including plaintext passwords in CSV files, disabled GitHub secret detection, and easily guessable credentials (e.g., platform names followed by the current year). Metadata suggested the account was used as a personal synchronization tool between work and home devices, with commits dating back to November 2025. The GitHub account was created in September 2018 but was taken offline shortly after CISA was notified.
CISA acknowledged the incident, stating there was no evidence of sensitive data compromise but confirmed an ongoing investigation. The exposed AWS keys remained active for 48 hours after the repository was removed. The agency, already operating with reduced staffing and budget, faces heightened scrutiny over its internal security controls following the breach.
Source: https://krebsonsecurity.com/2026/05/cisa-admin-leaked-aws-govcloud-keys-on-github/
Cybersecurity and Infrastructure Security Agency cybersecurity rating report: https://www.rankiteo.com/company/cisagov
Nightwing cybersecurity rating report: https://www.rankiteo.com/company/nightwing-us
"id": "CISNIG1779150346",
"linkid": "cisagov, nightwing-us",
"type": "Breach",
"date": "5/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'Cybersecurity',
'location': 'United States',
'name': 'Cybersecurity and Infrastructure Security '
'Agency (CISA)',
'size': 'Large',
'type': 'Government Agency'},
{'industry': 'Defense/Technology',
'name': 'Nightwing',
'type': 'Contractor'}],
'attack_vector': 'Misconfiguration',
'data_breach': {'data_encryption': 'No (plaintext passwords exposed)',
'file_types_exposed': ['CSV'],
'sensitivity_of_data': 'High (administrative credentials, '
'plaintext passwords)',
'type_of_data_compromised': 'Credentials, internal system '
'details, access tokens'},
'date_detected': '2025-05-15',
'description': 'A contractor for the Cybersecurity and Infrastructure '
'Security Agency (CISA) inadvertently exposed highly '
'privileged credentials and internal system details in a '
'public GitHub repository, marking one of the most severe '
'government data leaks in recent history. The repository, '
"named 'Private-CISA,' was flagged on May 15 by security "
'researcher Guillaume Valadon of GitGuardian after the account '
'owner failed to respond to automated alerts about exposed '
'secrets. The leaked files included administrative credentials '
'for three AWS GovCloud accounts, plaintext passwords for '
'dozens of internal CISA systems, and access tokens for CISA’s '
'internal artifactory.',
'impact': {'brand_reputation_impact': 'Heightened scrutiny over internal '
'security controls',
'data_compromised': 'Highly privileged credentials, internal '
'system details, AWS GovCloud admin '
'credentials, plaintext passwords, access '
'tokens',
'operational_impact': 'Potential lateral movement within CISA’s '
'infrastructure, risk of backdoors in '
'software builds',
'systems_affected': 'CISA’s secure code development environment '
'(Landing Zone DevSecOps), internal '
'artifactory, AWS GovCloud accounts'},
'investigation_status': 'Ongoing',
'post_incident_analysis': {'root_causes': 'Poor security practices (plaintext '
'passwords, disabled GitHub secret '
'detection, easily guessable '
'credentials), use of personal '
'GitHub account for work purposes'},
'references': [{'source': 'GitGuardian'}],
'response': {'communication_strategy': 'CISA acknowledged the incident and '
'confirmed an ongoing investigation',
'containment_measures': 'Repository taken offline, exposed AWS '
'keys deactivated after 48 hours',
'third_party_assistance': 'GitGuardian (security researcher '
'Guillaume Valadon)'},
'title': 'CISA Contractor Exposes Highly Sensitive Credentials in Public '
'GitHub Repository',
'type': 'Data Exposure',
'vulnerability_exploited': 'Exposed credentials in public repository'}