A contractor for the **Cybersecurity & Infrastructure Security Agency (CISA)** maintained a public **GitHub** repository that exposed credentials to several highly privileged **AWS GovCloud** accounts and a large number of internal CISA systems until recently. Security experts are calling it one of the most egregious government data leaks in recent history, as the archive included files detailing how CISA builds, tests, and deploys software internally. ### Discovery by GitGuardian On May 15th, **KrebsOnSecurity** was contacted by **Guillaume Valadon**, a researcher with the security firm **GitGuardian**. **GitGuardian** constantly scans public code repositories like **GitHub** for exposed secrets, automatically alerting account owners of potential sensitive data exposures. Valadon reached out because the owner of the repository wasn't responding and the exposed information was highly sensitive.  ### "Private-CISA" Repository Details The **GitHub** repository, named "**Private-CISA**," contained a vast number of internal CISA/DHS credentials and files, including cloud keys, tokens, plaintext passwords, logs, and other sensitive CISA assets. Valadon noted that the commit logs showed the CISA administrator had disabled the default **GitHub** setting that blocks users from publishing SSH keys or other secrets in public code repositories. "Passwords stored in plain text in a csv, backups in git, explicit commands to disable GitHub secrets detection feature," Valadon wrote. "I honestly believed that it was all fake before analyzing the content deeper. This is indeed the worst leak that I’ve witnessed in my career. It is obviously an individual’s mistake, but I believe that it might reveal internal practices." ### Exposed Credentials and Potential Impact One file, titled "importantAWStokens," included administrative credentials to three **Amazon AWS GovCloud** servers. Another file, "AWS-Workspace-Firefox-Passwords.csv," listed plaintext usernames and passwords for dozens of internal CISA systems, including one called "LZ-DSO" (Landing Zone DevSecOps), the agency’s secure code development environment. **Philippe Caturegli**, founder of the security consultancy **Seralys**, validated that the exposed credentials could authenticate to the AWS GovCloud accounts at a high privilege level. He also noted that the repository included plaintext credentials to CISA’s internal "artifactory," a repository of code packages used to build software. This could be a prime target for attackers looking to establish a persistent foothold in CISA systems. "That would be a prime place to move laterally," he said. "Backdoor in some software packages, and every time they build something new they deploy your backdoor left and right."  ### CISA's Response and Investigation CISA stated they are aware of the reported exposure and are investigating the situation. "Currently, there is no indication that any sensitive data was compromised as a result of this incident," a CISA spokesperson wrote. "While we hold our team members to the highest standards of integrity and operational awareness, we are working to ensure additional safeguards are implemented to prevent future occurrences." The "Private CISA" repository was maintained by an employee of **Nightwing**, a government contractor. Nightwing declined to comment, directing inquiries to CISA. The repository was created on November 13, 2025, and the contractor’s **GitHub** account dates back to September 2018. The **GitHub** account was taken offline shortly after notifications, but the exposed AWS keys remained valid for another 48 hours. ### Contributing Factors and Security Practices CISA is currently operating with reduced budget and staffing levels. The now-defunct Private CISA repo showed the contractor also used easily-guessed passwords for internal resources, such as platform names followed by the current year. "What I suspect happened is [the CISA contractor] was using this GitHub to synchronize files between a work laptop and a home computer, because he has regularly committed to this repo since November 2025," Caturegli said. "This would be an embarrassing leak for any company, but it’s even more so in this case because it’s CISA."