CISA Suffers Major Data Leak via Exposed GitHub Repository
A public GitHub repository named “Private-CISA” exposed highly sensitive internal credentials and systems belonging to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), marking one of the most severe government data leaks in recent history.
Security researcher Guillaume Valadon discovered the repository, which contained a trove of critical data, including:
- AWS GovCloud administrative credentials for three accounts
- AWS access keys and tokens (including a file labeled “importantAWStokens”)
- Plaintext usernames and passwords for internal CISA systems
- A CSV file (“AWS-Workspace-Firefox-Passwords.csv”) with stored login credentials
- Credentials for CISA’s Landing Zone DevSecOps (LZ-DSO) and other internal systems
- SSH keys and authentication details for CISA/DHS infrastructure
- Access credentials for an internal Artifactory software repository
Valadon, who described the leak as “the worst [he’d] witnessed in [his] career,” initially suspected the data was fake due to its sensitivity. However, multiple security researchers confirmed its authenticity, with some credentials reportedly functional. The repository, created in mid-November 2025, was likely exposed since its inception.
The repository was maintained by government contractor Nightwing, which declined to comment and referred inquiries to CISA. After researchers alerted the agency, the repository was locked down. CISA acknowledged the incident, stating there was “no indication that any sensitive data was compromised” but confirmed it was implementing additional safeguards to prevent future breaches.
The exposure revealed internal practices for how CISA builds and deploys software, raising concerns about operational security within federal cybersecurity agencies. The full duration of the leak remains unclear.
Nightwing cybersecurity rating report: https://www.rankiteo.com/company/nightwing-us
Cybersecurity and Infrastructure Security Agency cybersecurity rating report: https://www.rankiteo.com/company/cisagov
"id": "NIGCIS1779216319",
"linkid": "nightwing-us, cisagov",
"type": "Breach",
"date": "11/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'Cybersecurity, National Security',
'location': 'United States',
'name': 'U.S. Cybersecurity and Infrastructure '
'Security Agency (CISA)',
'size': 'Large',
'type': 'Government Agency'}],
'attack_vector': 'Exposed GitHub Repository',
'data_breach': {'file_types_exposed': ['CSV', 'Text files'],
'personally_identifiable_information': 'Yes (stored login '
'credentials)',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['AWS GovCloud administrative '
'credentials',
'AWS access keys and tokens',
'Plaintext usernames and '
'passwords',
'SSH keys',
'Authentication details for '
'internal systems',
'CSV file with stored login '
'credentials']},
'date_detected': '2025-11',
'description': "A public GitHub repository named 'Private-CISA' exposed "
'highly sensitive internal credentials and systems belonging '
'to the U.S. Cybersecurity and Infrastructure Security Agency '
'(CISA), marking one of the most severe government data leaks '
'in recent history. The repository contained AWS GovCloud '
'administrative credentials, access keys, plaintext usernames '
'and passwords, SSH keys, and other authentication details for '
'CISA/DHS infrastructure.',
'impact': {'brand_reputation_impact': "Severe impact on CISA's reputation as "
'a cybersecurity authority',
'data_compromised': 'Highly sensitive internal credentials and '
'systems, including AWS GovCloud '
'administrative credentials, access keys, '
'plaintext usernames/passwords, SSH keys, and '
'authentication details',
'identity_theft_risk': 'High (exposed credentials could lead to '
'identity theft)',
'operational_impact': 'Exposure of internal software deployment '
'practices; potential unauthorized access to '
'critical systems',
'systems_affected': 'CISA/DHS infrastructure, AWS GovCloud, '
'internal Artifactory repository, Landing Zone '
'DevSecOps (LZ-DSO)'},
'investigation_status': 'Ongoing',
'lessons_learned': 'Exposure of internal practices for software deployment '
'highlights operational security risks within federal '
'agencies; need for stricter access controls and '
'repository configurations.',
'post_incident_analysis': {'corrective_actions': 'Repository locked down; '
'additional safeguards '
'implemented',
'root_causes': 'Misconfigured public GitHub '
'repository exposing sensitive '
'credentials and systems'},
'recommendations': 'Implement stricter access controls for public '
'repositories, enforce multi-factor authentication for '
'sensitive systems, conduct regular audits of exposed '
'credentials, and enhance monitoring for unauthorized '
'access.',
'references': [{'source': 'Security Researcher Guillaume Valadon'}],
'response': {'communication_strategy': 'CISA acknowledged the incident and '
"stated there was 'no indication that "
"any sensitive data was compromised'",
'containment_measures': 'Repository locked down after '
'researchers alerted CISA',
'remediation_measures': 'Additional safeguards implemented to '
'prevent future breaches'},
'title': 'CISA Suffers Major Data Leak via Exposed GitHub Repository',
'type': 'Data Leak',
'vulnerability_exploited': 'Misconfigured public repository'}