Until this past weekend, a contractor for the Cybersecurity & Infrastructure Security Agency (CISA) maintained a public GitHub repository that exposed credentials to several highly privileged AWS GovCloud accounts and a large number of internal CISA systems. Security experts said the public archive included files detailing how CISA builds, tests and deploys software internally, and that it represents one of the most egregious government data leaks in recent history.
On May 15, KrebsOnSecurity heard from Guillaume Valadon, a researcher with the security firm GitGuardian. Valadon’s company constantly scans public code repositories at GitHub and elsewhere for exposed secrets, automatically alerting the offending accounts of any apparent sensitive data exposures. Valadon said he reached out because the owner in this case wasn’t responding and the information exposed was highly sensitive.
A redacted screenshot of the now-defunct “Private CISA” repository maintained by a CISA contractor.
The GitHub repository that Valadon flagged was named “Private-CISA,” and it harbored a vast number of internal CISA/DHS credentials and files, including cloud keys, tokens, plaintext passwords, logs and other sensitive CISA assets.
Valadon said the exposed CISA credentials represent a textbook example of poor security hygiene, noting that the commit logs in the offending GitHub account show that the CISA administrator disabled the default setting in GitHub that blocks users from publishing SSH keys or other secrets in public code repositories.
“Passwords stored in plain text in a csv, backups in git, explicit commands to disable GitHub secrets detection feature,” Valadon wrote in an email. “I honestly believed that it was all fake before analyzing the content deeper. This is indeed the worst leak that I’ve witnessed in my career. It is obviously an individual’s mistake, but I believe that it might reveal internal practices.”
One of the exposed files, titled “importantAWStokens,” included the administrative credentials to three Amazon AWS GovCloud servers. Another file exposed in their public GitHub repository — “AWS-Workspace-Firefox-Passwords.csv” — listed plaintext usernames and passwords for dozens of internal CISA systems. According to Caturegli, those system included one called “LZ-DSO,” which appears short for “Landing Zone DevSecOps,” the agency’s secure code development environment.
Philippe Caturegli, founder of the security consultancy Seralys, said he tested the AWS keys only to see whether they were still valid and to determine which internal systems the exposed accounts could access. Caturegli said the GitHub account that exposed the CISA secrets exhibits a pattern consistent with an individual operator using the repository as a working scratchpad or synchronization mechanism rather than a curated project repository.
“The use of both a CISA-associated email address and a personal email address suggests the repository may have been used across differently configured environments,” Caturegli observed. “The available Git metadata alone does not prove which endpoint or device was used.”
The Private CISA GitHub repo exposed dozens of plaintext credentials for important CISA GovCloud resources.
Caturegli said he validated that the exposed credentials could authenticate to three AWS GovCloud accounts at a high privilege level. He said the archive also includes plain text credentials to CISA’s internal “artifactory” — essentially a repository of all the code packages they are using to build software — and that this would represent a juicy target for malicious attackers looking for ways to maintain a persistent foothold in CISA systems.
“That would be a prime place to move laterally,” he said. “Backdoor in some software packages, and every time they build something new they deploy your backdoor left and right.”
In response to questions, a spokesperson for CISA said the agency is aware of the reported exposure and is continuing to investigate the situation.
“Currently, there is no indication that any sensitive data was compromised as a result of this incident,” the CISA spokesperson wrote. “While we hold our team members to the highest standards of integrity and operational awareness, we are working to ensure additional safeguards are implemented to prevent future occurrences.”
A review of the GitHub account and its exposed passwords show the “Private CISA” repository was maintained by an employee of Nightwing, a government contractor based in Dulles, Va. Nightwing declined to comment, directing inquiries to CISA.
CISA has not responded to questions about the potential duration of the data exposure, but Caturegli said the Private CISA repository was created on November 13, 2025. The contractor’s GitHub account was created back in September 2018.
The GitHub account that included the Private CISA repo was taken offline shortly after both KrebsOnSecurity and Seralys notified CISA about the exposure. But Caturegli said the exposed AWS keys inexplicably continued to remain valid for another 48 hours.
CISA is currently operating with only a fraction of its normal budget and staffing levels. The agency has lost nearly a third of its workforce since the beginning of the second Trump administration, which forced a series of early retirements, buyouts, and resignations across the agency’s various divisions.
The now-defunct Private CISA repo showed the contractor also used easily-guessed passwords for a number of internal resources; for example, many of the credentials used a password consisting of each platform’s name followed by the current year. Caturegli said such practices would constitute a serious security threat for any organization even if those credentials were never exposed externally, noting that threat actors often use key credentials exposed on the internal network to expand their reach after establishing initial access to a targeted system.
“What I suspect happened is [the CISA contractor] was using this GitHub to synchronize files between a work laptop and a home computer, because he has regularly committed to this repo since November 2025,” Caturegli said. “This would be an embarrassing leak for any company, but it’s even more so in this case because it’s CISA.”
The incompetence of this government is beyond compare. They are all just so stupid……..
Easy there sunshine. This is a contractor, not a government employee. What i will say, is that CISA did not have enough controls in place over the years to have been able to snoop this. So they can’t blame Trump Cuts for that incompetence. Also, Nightingale failed in managing their employees. They’re are a LOT of really smart talented people in government, you just won’t hear about them, because they don’t make these kinds of mistakes.
Trump is blamed for everything.
He’s called head of state for a reason. It’s not just a title.
LOL “LOT of really smart talented people…dont make these kinds of mistakes”. May I introduce you to the Iran school strike? WHose boot are you licking?
Also, the mistake isn’t just technical. It’s failure to correctly supervise the contractor – definitely the government’s fault…bad contracting management, project management, process management…should I continue?
a well done job goes unnoticed(the good workers understand that one).
And even though this was a contractor who I’m assuming passed a through back ground check(I had to pass one to just lay the carpet at the coast guards on base housing and I didn’t even get a gate code), and probably had at least some top secret clearance access, who was just working for the government in its cyber security division?! (and had this out grievous practice of making all his note transfers public and all organized by contracts) and not just a citizen you would hope a world power government would keep a better eye on it’s employees.
So I’d be asking the hard to see questions,
1. So how long has this ip been transferring notes publicly(not just in this cases recovered intel)
You would assume someone using GitHub as a horrible replacement for something more private like idk something like gnupg and KDE connect (for something of the top of the head that’s free even), would be unstructured and globed together with other subjects initially while they learned the environment.
2. Time frame those beginning scratch pages started being organizationally structured.
3. Now how long before the notes got their own respiratory per contract (especially this one) or do they normally go by subject pertained within the notes or do they normally glob notes and go by date(if I was to use a respiratory to transfer my classified notes I would want to just transfer the days notes every night I dealt with that contract right(got to keep receipts for those big paying hours right).
And like I said I’m looking at the ip uploading and accessing this persons respiratories for all accounts that even connected to look this and may have resent any in whole or parts. Just to remind everyone who we are and that we don’t take kindly to this kind of incident
This wasn’t incompetence. This was a deliberate act of sabotage. The contractor will almost certainly face criminal charges.
The DOGE circus continues. No surprise when you cut essential people in an essential agency.
The DOGE circus continues. A predictable outcome when you cut essential, experienced personnel from an essential agency. It can only get worse. This is cybersecurity 101 stuff….
My money is on infiltration of the contractor by a faux employee candidate. Got that idea from the AWS key staying valid for 48 hours. Some of the mistakes seem those of a fly by Nightwing noob operation, but where better to insert the droud…
The incompetence is breathtaking. One is left to wonder if the responsible parties (DOGE?) weren’t working for foreign entities. When this administration is finally held accountable I hope that everyone involved is identified and publicly humiliated.
Does it even surprise anyone? At the current level of the incompetency of the U.S. government it’s just something that would preoccupy the news cycle for less than a day. And then there will be another gaff… and another one. I mean is it even that bad when our commander in chief is an open Russian asset?
Hmmmm who would have warned them about this when they first put that stuff in the cloud? If only there was someone who would have told them this was a very bad idea? Oh wait, I remember.
CISA is a hollow shell of itself since Chris Krebs (no relation) was removed.
Actually more related than you think the two of them are. Sorta like us.
C’mon, you cannot blame the administration for this. Any employee/contractor and especially one working for CISA should know better than this particularly given the current “climate” where cyber espionage is so prevalent. The employee/contractor should be marched off the premises asap.
Nah it’s just easier to blame Trump. It’s too funny.
While we’re at it, should discipline so many teams that fell down on the job here detecting this — IAM, AppSec, direction engineering, cloud security, GRC. Oh wait, there’s no budgets, staff, institutional knowledge in these teams anymore? Ok then the problem is more organizational. Where should blame lay then?
Excellence starts from the top. When something good happens, the administration – ANY administration – takes credit. When something bad happens, it’s always a rogue employee/contractor/intern.
The government cannot escape blame and accountability for this.When agencies are literally run by DEI hires – cronies with no qualifications – who aren’t held to account for literal crimes, it sets the tone.
Nice try. All the DEI hires were already removed, remember?
These problems are caused by what’s left after the department was gutted.
I believe Teddy was using “DEI” in a parodistic way, effectively as in “the people in charge here were exactly what DEI hires have been accused of being = hired for politically desirable attributes rather than competence”.
In reality, here the inverse of DEI would be the more fitting abbreviation… so they should be called IED hires?
Yes, the contractor screwed up epically but that also means there was a catastrophic failure in oversight and monitoring. Just as your bank doesn’t trust each teller to be impeccably honest, there should have been auditing mechanisms on GitHub and on those services preventing long-lived credentials, forcing strong passwords, preventing reuse, etc. .
Chris
> there should have been auditing mechanisms on GitHub
The article states there were default-on auditing mechanisms on Github which were explicitly turned off by the offending user.
And the offending user should have been blocked from turning those Github *defaults* by an organization policy applied to all their users.
Exactly: the fact that someone was allowed to turn them off and nobody asked about it is what elevates it to a senior management issue, especially at a security-centric organization. One person making a bad decision shouldn’t be catastrophic.
This seems on par for anyone who has ever had the misfortune of having to work with CISA. There are good folks there, and many are doing their best, but that level of responsibility simply doesn’t come from the prices or bureaucratic structure provided by DHS, even in the best of times.
Rhonda,
This just goes to show how mistakes can happen very easy with lack of carelessness, making personal information very vulnerable to hackers, I think CISA/Nightingale should better screen the contract /worker, there is blame on both sides, It’s so sad that this happened and caused most of the others to lose their jobs.
“CISA’s internal “artifactory””
Artifactory (a software repository/caching/proxy solution) doesn’t need to be in quotes, it needs to be capitalized.
Since when is krebsonsecurity comment section filled with lunatics makng political comments? You guys do know this is a cybersecurity blog?
I guess the TDS is overwhelming and you guys gotta bounce some conspiracies around the echo chamber just to feel good. Must be a depressing way to go through life, constantly angry and constantly the victim
It is not TDS to point out that Trump has favored people who will do exactly what he wants over more qualified candidates. I give you Patel, Hegseth, Bondi, Lindsay Halligan, etc. This is in addition to dismissing competent staff already in place.
It’s like trusting your software vendor to do the right thing with an open credit card. Some people just shouldn’t be trusted.
was it correctly supervised? weakness in contracting process and management maybe