In a staggering lapse of operational security, a government contractor for the Cybersecurity and Infrastructure Security Agency (CISA) inadvertently exposed a treasure trove of highly sensitive credentials and internal deployment configurations to the public internet. The data, hosted in a public GitHub repository aptly named “Private-CISA,” included administrative access keys to critical AWS GovCloud accounts, plaintext passwords for internal agency systems, and detailed documentation on how the agency builds and tests its software.
Security researchers have characterized the incident as one of the most egregious data leaks in recent government history. The exposure, which persisted for months, potentially provided a roadmap for malicious actors to infiltrate the very agency tasked with safeguarding the nation’s digital infrastructure.
The Discovery: A Red Flag in the Code
The breach came to light on May 15, when Guillaume Valadon, a researcher with the security firm GitGuardian, identified the repository during routine automated scans. GitGuardian’s technology is designed to detect sensitive information—such as API keys, cryptographic tokens, and credentials—accidentally pushed to public code repositories.
Upon reviewing the contents of the “Private-CISA” repository, Valadon was reportedly stunned. “I honestly believed that it was all fake before analyzing the content deeper,” Valadon stated. “This is indeed the worst leak that I’ve witnessed in my career.”
The repository was not merely a collection of minor configuration files; it was a comprehensive cache of high-level administrative access. Valadon noted that the repository owner had deliberately disabled GitHub’s “secret scanning” features, which are designed to automatically block or alert users if they attempt to commit sensitive credentials to a public repository. This active bypass of security controls suggests a catastrophic failure in both training and internal security oversight.
Chronology of the Exposure
The timeline of the “Private-CISA” incident reveals a long-standing vulnerability that remained undetected by the contractor and the agency for half a year:
- September 2018: The contractor’s GitHub account was originally created.
- November 13, 2025: The “Private-CISA” repository was created, marking the beginning of the data exposure.
- November 2025 – May 2026: The repository was used as a synchronization tool, with the contractor committing files regularly to bridge the gap between home and work computing environments.
- May 15, 2026: Researchers from GitGuardian and Seralys independently identify the leak and notify CISA.
- Mid-May 2026: CISA acts to take the repository offline following the notification.
- Late-May 2026: Security consultants confirm that despite the repository being removed, some of the exposed AWS credentials remained valid for an additional 48 hours, highlighting a dangerous lag in incident response and credential rotation.
Supporting Data: The Anatomy of a Breach
The sheer volume and sensitivity of the data contained within the repository underscore the severity of the leak. Philippe Caturegli, founder of the security consultancy Seralys, conducted an independent analysis of the repository after it was flagged.
High-Privilege Access
Caturegli confirmed that the repository contained administrative credentials for three separate AWS GovCloud accounts. GovCloud is a specialized environment designed to host sensitive government data and workloads, adhering to strict compliance standards. The exposure of these keys meant that an unauthorized user could have theoretically assumed high-level privileges within the agency’s cloud infrastructure.
Plaintext Vulnerabilities
Among the most alarming files discovered was a CSV file titled “AWS-Workspace-Firefox-Passwords.csv.” This file contained a list of plaintext usernames and passwords for dozens of internal CISA systems. Of particular note was the exposure of credentials for the “LZ-DSO” (Landing Zone DevSecOps) environment—the agency’s secure development pipeline.
Furthermore, the repository contained credentials for CISA’s internal “artifactory,” a central hub used to manage software packages. By gaining access to this system, a threat actor could have engaged in “supply chain poisoning,” inserting malicious backdoors into software packages that would subsequently be deployed across the agency’s network.
Poor Password Hygiene
The investigation revealed that the contractor relied on weak, predictable passwords, such as the platform’s name followed by the current year. This practice, combined with the storage of these credentials in plaintext, represents a fundamental violation of federal cybersecurity standards, which mandate robust authentication and encryption protocols.
Official Responses and Agency Stance
When approached for comment, a CISA spokesperson acknowledged the incident, stating that the agency is conducting a thorough investigation. “Currently, there is no indication that any sensitive data was compromised as a result of this incident,” the spokesperson claimed. “While we hold our team members to the highest standards of integrity and operational awareness, we are working to ensure additional safeguards are implemented to prevent future occurrences.”
The contractor responsible for the repository is an employee of Nightwing, a government contractor based in Dulles, Virginia. When contacted for comment, Nightwing declined to address the specifics of the situation, referring all inquiries back to CISA.
The agency’s response has drawn criticism from security experts, particularly regarding the 48-hour window where the AWS keys remained valid even after the repository was taken down. This delay indicates that the agency’s incident response team did not immediately rotate the compromised credentials, leaving the door open for potential exploitation even after the breach was discovered.
Implications: A System Under Strain
The “Private-CISA” leak comes at a precarious time for the agency. CISA is currently navigating a period of significant turmoil, having lost nearly one-third of its workforce since the start of the second Trump administration. The resulting brain drain—driven by buyouts, early retirements, and mass resignations—has left the agency operating with significantly reduced capacity and budget.
The Risks of Lateral Movement
The primary concern for security professionals is the ease with which an attacker could have moved laterally through the network. Once a threat actor obtains administrative credentials for a developer’s workstation or a cloud environment, they can escalate privileges, pivot to other sensitive databases, and establish long-term persistence that is notoriously difficult to detect.
“That would be a prime place to move laterally,” Caturegli observed. “Backdoor in some software packages, and every time they build something new, they deploy your backdoor left and right.”
The Contractor Dilemma
The reliance on contractors for high-stakes government work presents a perennial security challenge. When contractors operate outside the strict purview of agency-managed security environments—such as using a personal GitHub repository to sync work files—they introduce “shadow IT” risks that bypass even the most sophisticated enterprise defenses.
The incident highlights the urgent need for a more rigorous vetting and auditing process for contractors who have access to government systems. The use of a public repository as a “scratchpad” is a clear violation of standard operating procedures, yet the fact that it persisted for six months suggests a lack of automated monitoring for developer behavior within the agency’s ecosystem.
Conclusion
The “Private-CISA” breach serves as a stark reminder that the most sophisticated cybersecurity defenses can be rendered useless by the most basic human error. The exposure of high-level AWS GovCloud keys and internal development secrets is a profound embarrassment for an agency charged with protecting the nation’s critical infrastructure.
As CISA works to reorganize and stabilize in the wake of significant workforce losses, this incident underscores the necessity of maintaining rigid security hygiene, regardless of staffing levels. The lessons from this leak—namely the requirement for mandatory secret scanning, the prohibition of plaintext credential storage, and the need for rapid credential revocation—are universal. Whether these lessons will lead to a more secure footing for the agency, or whether the current atmosphere of instability will allow similar lapses to continue, remains an open question for the cybersecurity community.
