A Massive Security Lapse: CISA Contractor Exposes Highly Privileged Government Credentials on Public GitHub

In what security analysts are calling one of the most egregious data exposures in recent federal history, a public GitHub repository maintained by a contractor for the Cybersecurity and Infrastructure Security Agency (CISA) has laid bare a treasure trove of sensitive credentials. For months, the repository, aptly named “Private-CISA,” functioned as an open door into the heart of the agency’s digital infrastructure, exposing administrative keys to AWS GovCloud accounts, plaintext passwords for internal systems, and architectural blueprints for how the U.S. government builds and deploys its software.

The discovery, which was addressed only after external security researchers intervened, highlights a catastrophic failure in cybersecurity hygiene at a time when the federal government is grappling with unprecedented staffing shortages and a heightened threat landscape.


The Anatomy of the Leak: How the “Private-CISA” Repository Failed

The repository was identified by Guillaume Valadon, a researcher at the security firm GitGuardian, whose organization specializes in the automated detection of “leaked secrets” across public code platforms. When Valadon stumbled upon the repository on May 15, he was struck by the audacity of the exposure. It was not merely a case of an accidental file upload; it was a systemic failure.

The repository, which had been active since November 2025, served as a synchronization point for an employee of Nightwing, a Dulles, Virginia-based government contractor. Forensic analysis of the repository’s metadata suggests the contractor was using the public GitHub account as a personal "scratchpad" to shuttle files between home and office environments.

Most concerning to experts was the evidence that the administrator had actively bypassed security safeguards. GitHub provides a native feature designed to detect and block the pushing of SSH keys, API tokens, and other secrets to public repositories. According to Valadon, the commit logs reveal that the user explicitly disabled this protection, ensuring that the sensitive files would be uploaded without resistance.

“Passwords stored in plain text in a CSV, backups in Git, explicit commands to disable GitHub secrets detection—I honestly believed that it was all fake before analyzing the content deeper,” Valadon stated. “This is the worst leak I’ve witnessed in my career. It is obviously an individual’s mistake, but it reveals a disturbing lack of internal training and operational security practices.”


Chronology of the Exposure

  • September 2018: The contractor’s GitHub account is created.
  • November 13, 2025: The “Private-CISA” repository is initialized, marking the beginning of the data exposure. Over the following months, the contractor frequently commits sensitive files to the repository.
  • May 15, 2026: Guillaume Valadon of GitGuardian identifies the repository and attempts to contact the owner, receiving no response.
  • May 2026: KrebsOnSecurity and security consultant Philippe Caturegli contact CISA to alert them to the severity of the leak.
  • May 2026 (Post-Notification): The repository is taken offline.
  • Late May 2026: Despite the repo’s removal, researchers confirm that the exposed AWS GovCloud keys remained active and valid for approximately 48 hours following the agency’s initial awareness.

Supporting Data: The Keys to the Kingdom

The impact of this leak extends far beyond simple password exposure. Philippe Caturegli, founder of the security consultancy Seralys, conducted a technical audit of the exposed data to determine its reach. His findings painted a grim picture of the potential for a cascading system compromise.

The AWS GovCloud Exposure

The repository contained a file explicitly titled “importantAWStokens.” This file provided administrative-level access to three distinct AWS GovCloud accounts. GovCloud is a specialized environment designed by Amazon to host sensitive government data and workloads, typically subject to stringent regulatory requirements. Access to these accounts would theoretically allow a malicious actor to create new users, exfiltrate data, or deploy malicious infrastructure within the government’s own cloud environment.

Internal System Credentials

The repository also contained a file labeled “AWS-Workspace-Firefox-Passwords.csv.” This document held a wealth of plaintext usernames and passwords for dozens of internal CISA systems. Among them were credentials for “LZ-DSO,” the agency’s “Landing Zone DevSecOps” environment—a critical pipeline used for secure code development.

CISA Admin Leaked AWS GovCloud Keys on Github

The “Artifactory” Risk

Perhaps most dangerous was the exposure of credentials to CISA’s internal “Artifactory.” In modern software development, an Artifactory serves as a central repository for all software packages and dependencies used to build applications. If a threat actor gained access to this system, they could inject backdoored code into the agency’s software builds. As Caturegli noted, “Backdoor in some software packages, and every time they build something new, they deploy your backdoor left and right.”


Official Responses and Agency Stance

When approached for comment, a CISA spokesperson acknowledged the incident, stating that the agency is currently conducting a formal investigation. The agency’s official stance remains one of cautious optimism regarding the scope of the impact.

“Currently, there is no indication that any sensitive data was compromised as a result of this incident,” the spokesperson wrote in an email. “While we hold our team members to the highest standards of integrity and operational awareness, we are working to ensure additional safeguards are implemented to prevent future occurrences.”

Nightwing, the government contractor employing the individual responsible for the repository, declined to provide a statement, directing all media inquiries back to CISA.


Implications: A Vulnerable Agency in Flux

This incident occurs at a particularly precarious time for CISA. The agency is currently navigating a period of significant turmoil, marked by drastic budget cuts and a mass exodus of talent. Reports indicate that CISA has lost nearly one-third of its workforce since the beginning of the second Trump administration. This “brain drain” has been fueled by a combination of early retirements, forced buyouts, and general resignations, leaving the agency to manage its mission-critical responsibilities with fewer resources and potentially less oversight than in previous years.

The Human Factor: Poor Password Hygiene

Beyond the exposure of the credentials themselves, the quality of the credentials found in the repository was alarming. Many of the passwords identified followed a predictable, easily guessable pattern—using the name of the platform followed by the current year. Security experts have long warned that such “static” password strategies are a major vulnerability. Even without an external leak, such practices are considered a failure of basic security standards.

The Threat of Lateral Movement

The most significant threat posed by this leak is “lateral movement.” In a sophisticated cyberattack, an adversary rarely breaches the target system and immediately achieves their goal. Instead, they move laterally, using low-level access to gather credentials that grant them higher privileges. By leaving these keys on a public repository, the contractor inadvertently provided a map and a key ring for any attacker looking to pivot from a minor breach into a full-scale takeover of CISA’s DevSecOps pipeline.

Institutional Consequences

The exposure has ignited a debate within the cybersecurity community regarding the oversight of contractors. While government agencies often rely on private firms to handle specialized technical tasks, this incident demonstrates the need for more rigorous auditing of contractor workflows. If a contractor is able to disable global security settings on a public code platform while handling classified-adjacent data, it suggests that the agency’s internal security monitoring is not reaching deep enough into the supply chain.

As the investigation continues, CISA faces the difficult task of re-securing its infrastructure while simultaneously rebuilding public and internal trust. The “Private-CISA” incident serves as a stark reminder that in the modern digital age, the strongest firewalls and the most advanced AI-driven defenses are ultimately only as secure as the human at the keyboard. For now, the agency remains under intense scrutiny, as the cybersecurity community watches to see if this incident is an isolated error or a symptom of a deeper, systemic breakdown in federal cybersecurity oversight.