In an alarming incident that has sent shockwaves through the cybersecurity community, a public GitHub repository maintained by a contractor for the Cybersecurity and Infrastructure Security Agency (CISA) has been found to contain highly sensitive, privileged credentials for the agency’s internal systems. The repository, explicitly named “Private-CISA,” functioned as an open-access vault for cloud keys, plaintext passwords, and proprietary deployment documentation, effectively handing a roadmap for network intrusion to any malicious actor capable of running a basic search.
Security experts have labeled this one of the most egregious data leaks in recent government history. The exposure, which persisted until this past weekend, represents a catastrophic failure in operational security hygiene, occurring at a time when the agency is already struggling with significant personnel attrition and budgetary constraints.
The Discovery: A Professional Alert
The exposure was brought to light by Guillaume Valadon, a lead researcher at the security firm GitGuardian. GitGuardian specializes in automated scanning of public repositories to detect the accidental inclusion of secrets—a common but dangerous mistake by developers.
Valadon’s systems flagged the “Private-CISA” repository, and upon manual inspection, he found the content so sensitive that he immediately initiated contact with the repository owner. When those attempts at communication went unanswered, the severity of the findings prompted him to escalate the matter. “I honestly believed that it was all fake before analyzing the content deeper,” Valadon stated. “This is indeed the worst leak that I’ve witnessed in my career. It is obviously an individual’s mistake, but I believe that it might reveal internal practices.”
The repository contained more than just minor configuration files; it was a repository of administrative authority. Among the exposed assets were tokens for AWS GovCloud—a specialized environment designed specifically to host sensitive government data—as well as comprehensive logs detailing how the agency builds, tests, and deploys software internally.
Chronology of the Exposure
The timeline of the “Private-CISA” repository paints a picture of a long-standing vulnerability that remained hidden in plain sight.
- September 2018: The contractor’s GitHub account is originally created.
- November 13, 2025: The “Private-CISA” repository is officially initialized. It appears to have been used as a synchronization tool, allowing the contractor to move files between work and personal computing environments.
- May 15, 2026: Researchers at GitGuardian identify the repository and begin efforts to alert the owner.
- Late May 2026: Following notifications from both KrebsOnSecurity and independent security consultant Philippe Caturegli, the repository is finally taken offline.
- Post-Discovery: Despite the repository being deleted, an investigation by Caturegli revealed that the exposed AWS keys remained functional for at least 48 hours after the account was shuttered, leaving a critical window of vulnerability open even after the primary source of the leak was removed.
Technical Anatomy of the Breach
The depth of the exposure is staggering, moving far beyond mere accidental uploads. The repository contained files such as “importantAWStokens,” which provided high-level administrative access to three distinct AWS GovCloud environments.
Perhaps more damaging was a file titled “AWS-Workspace-Firefox-Passwords.csv.” This file contained plaintext usernames and passwords for dozens of internal CISA systems. Of particular note is the inclusion of credentials for the “LZ-DSO” system—short for “Landing Zone DevSecOps.” This environment serves as the agency’s secure code development pipeline.
Poor Security Hygiene and Intentional Misconfiguration
Analysis of the repository’s commit history suggests that this was not a simple oversight, but a systemic failure of security protocols. The contractor had proactively disabled GitHub’s native “secret scanning” features, which are designed to prevent the accidental pushing of API keys and credentials. By overriding these safety rails, the contractor essentially ensured that the repository would remain unprotected by the very platforms meant to secure it.
Philippe Caturegli, founder of the consultancy Seralys, noted that the use of weak, predictable passwords exacerbated the risk. Many of the credentials followed a rudimentary pattern: the name of the platform followed by the calendar year. “Such practices would constitute a serious security threat for any organization even if those credentials were never exposed externally,” Caturegli observed.
The "Artifactory" Risk: Lateral Movement
One of the most concerning aspects of this leak is the exposure of credentials to CISA’s internal “artifactory.” In modern software development, an artifactory acts as a central repository for all code packages used to build applications.
By gaining access to these artifacts, an attacker could achieve more than just data theft; they could initiate a supply-chain attack. By injecting malicious backdoors into legitimate software packages, an attacker could ensure that their malicious code is deployed across the agency’s infrastructure every time a new build is pushed. “That would be a prime place to move laterally,” Caturegli explained. “Backdoor in some software packages, and every time they build something new, they deploy your backdoor left and right.”
Official Responses and Accountability
In response to inquiries, a CISA spokesperson acknowledged the incident, stating that the agency is conducting an ongoing investigation. “Currently, there is no indication that any sensitive data was compromised as a result of this incident,” the spokesperson claimed. “While we hold our team members to the highest standards of integrity and operational awareness, we are working to ensure additional safeguards are implemented to prevent future occurrences.”
The repository was linked to an employee of Nightwing, a Dulles, Virginia-based government contractor. When approached for comment, Nightwing declined to address the specifics of the breach, referring all inquiries back to CISA.
The agency has remained silent regarding how long the credentials were exposed to the public internet before they were flagged, leaving a significant gap in the public record regarding the potential for historical unauthorized access.
Implications: A Fragile Agency
The incident occurs against a backdrop of institutional instability at CISA. Following the start of the second Trump administration, the agency has undergone a series of drastic reorganizations, resulting in the loss of nearly a third of its total workforce. This “brain drain,” characterized by early retirements and forced buyouts, has left remaining staff stretched thin, potentially contributing to the oversight that allowed such a massive security failure to occur.
Strategic Consequences
The exposure of GovCloud credentials is particularly sensitive. GovCloud is built to adhere to stringent compliance requirements, including those for Controlled Unclassified Information (CUI). The fact that a contractor was able to move these credentials to a public GitHub repository suggests a lack of robust Data Loss Prevention (DLP) tools or a failure to enforce them in remote work environments.
The incident raises fundamental questions about the government’s reliance on third-party contractors for critical infrastructure management. When contractors use personal or external platforms to synchronize work-related files—as appears to be the case here—they create “shadow IT” environments that bypass the security perimeters mandated by federal policy.
Conclusion
The “Private-CISA” incident is a sobering reminder that the greatest threat to national cybersecurity is often not an advanced persistent threat (APT) from a foreign nation-state, but the mundane, preventable errors of an individual user. By prioritizing convenience over security, the contractor involved created a potential vector for a catastrophic compromise of federal systems.
As CISA moves to remediate the fallout, the agency faces a difficult path forward. Restoring trust in its internal processes will require more than just a formal investigation; it will necessitate a fundamental cultural shift in how contractors are audited and how the agency protects its “crown jewels” in an era of decentralized, remote, and increasingly precarious work environments.
