A contractor working with the Cybersecurity and Infrastructure Security Agency kept a public GitHub repository containing credentials for highly privileged AWS GovCloud accounts and internal CISA systems until this past weekend, according to KrebsOnSecurity and security researchers who examined the archive.
The repository was named “Private-CISA,” which was doing a lot of work for a folder anyone could apparently reach. Guillaume Valadon, a researcher at GitGuardian, told KrebsOnSecurity that his company’s scanning systems found the exposed secrets and tried to alert the account owner. Valadon said he escalated the case because the owner did not respond and the material appeared highly sensitive.
What was exposed
According to Valadon and Philippe Caturegli, founder of the security consultancy Seralys, the public GitHub archive included cloud keys, tokens, plaintext passwords, logs and other internal CISA and Department of Homeland Security material. Valadon said Git metadata showed the account holder had disabled GitHub’s default protection that blocks publication of SSH keys and other secrets in public repositories.
Valadon described the leak in unusually blunt terms, saying the archive contained “passwords stored in plain text in a csv,” backups in Git and commands disabling GitHub secret detection. He wrote that he initially thought the contents might be fake because the exposure looked so bad.
One file called “importantAWStokens” contained administrative credentials for three AWS GovCloud servers, according to the researchers. Another file, “AWS-Workspace-Firefox-Passwords.csv,” listed usernames and passwords for dozens of CISA systems in plaintext. Caturegli said those systems included “LZ-DSO,” which he said appears to refer to Landing Zone DevSecOps, CISA’s secure software development environment.
Caturegli told KrebsOnSecurity he tested the AWS credentials only to confirm whether they were still valid and to see what systems the exposed accounts could reach. He said the keys authenticated to three AWS GovCloud accounts with high privileges. He also said the repository included credentials for CISA’s internal artifactory, a package repository used in software builds.
That kind of access matters because build systems are excellent places to cause quiet trouble. Caturegli said an attacker with access to the artifactory could try to place backdoored packages into software that later gets built and deployed elsewhere.
CISA says it is investigating
A CISA spokesperson told KrebsOnSecurity that the agency is aware of the reported exposure and is investigating. The spokesperson said CISA currently has “no indication that any sensitive data was compromised” and said the agency is working on additional safeguards to prevent a recurrence.
KrebsOnSecurity reported that a review of the GitHub account and exposed passwords showed the repository was maintained by an employee of Nightwing, a government contractor based in Dulles, Virginia. Nightwing declined to comment and referred questions to CISA.
CISA did not answer questions about how long the data was publicly available. Caturegli said the Private-CISA repository was created on November 13, 2025, and that the contractor’s GitHub account dated to September 2018. The account was taken offline after KrebsOnSecurity and Seralys notified CISA, but Caturegli said the exposed AWS keys remained valid for another 48 hours.
Caturegli said the repository looked less like a polished software project and more like a scratchpad or synchronization point used across machines. He said the use of both a CISA-associated email address and a personal email address suggested different environments, though the Git metadata alone did not prove which device was used.
The repository also contained easily guessed passwords for some internal resources, including passwords based on a platform name followed by the current year, according to Caturegli. That would be bad inside any organization. At the federal agency responsible for telling other people how to secure systems, it is worse.
This story draws on original reporting from Krebs on Security.