A public GitHub repository managed for the U.S. Cybersecurity and Infrastructure Security Agency exposed plaintext passwords, SSH private keys, and other sensitive data from at least November 2025 until its recent takedown, security researcher Brian Krebs reported Saturday. The exposure granted high-level access to Amazon Web Services GovCloud accounts, according to testing by Seralys founder Philippe Caturegli. The repository was named, with apparent irony, “Private-CISA.”
The repository was brought to Krebs’s attention by GitGuardian’s Guillaume Valadon, whose company’s automated public code scans flagged the exposed secrets. Valadon told Krebs he received no response after attempting to contact the repository’s owner directly. He then reached out to Krebs to escalate the finding.
Commit logs reviewed by Valadon indicated that GitHub’s default protections against committing secrets had been deliberately disabled. Those safeguards are designed to catch exactly this type of error. They were turned off by the repository’s administrator.
Philippe Caturegli, founder of the security firm Seralys, tested the exposed credentials to verify the breach was not a hoax. He confirmed he could access multiple AWS GovCloud accounts at a high privilege level. GovCloud is Amazon’s cloud environment designed to host sensitive government data and regulated workloads.
The repository appeared to be managed by Nightwing, a Virginia-based CISA contractor. Nightwing has not issued a public statement. The company referred all questions back to CISA.
This is not CISA’s first security stumble this year. In January, then-acting CISA Director Madhu Gottumukkala uploaded sensitive government documents to ChatGPT. He had requested and received an exemption from an agency policy that prohibited CISA personnel from using the AI tool.
Gottumukkala was removed from his role in February. The agency responsible for defending federal networks against cyber threats has now suffered two self-inflicted data exposures in five months. The pattern raises serious questions about internal security culture at the organization tasked with setting the standard for the rest of the government.
GitHub’s secret-scanning protections, which were reportedly disabled in this case, are a free service that alerts users when they attempt to commit credentials, API tokens, or private keys to public repositories. The feature has been available to all public repositories since 2019. Disabling it requires an explicit administrative action.
Security professionals reacted with disbelief. The exposure of SSH private keys is particularly dangerous because they can allow an attacker to impersonate a legitimate server or user without needing a password. Combined with access to AWS GovCloud, the potential for lateral movement across sensitive government systems was significant.
CISA has not disclosed whether it has completed an audit of what data may have been accessed using the exposed credentials. The agency also has not said whether it has notified any affected parties or law enforcement. The timeline of exposure stretches back at least six months, giving any potential malicious actor a wide window of opportunity.
The incident highlights a persistent problem across both government and industry: the gap between security policy and security practice. Agencies can mandate multi-factor authentication, zero-trust architectures, and continuous monitoring. But a single misconfigured repository can bypass all of those controls.
Contractor management adds another layer of complexity. Nightwing’s role in managing the repository means CISA’s security posture was only as strong as its contractor’s practices. Federal acquisition regulations require contractors to meet specific cybersecurity standards.
Meta Cuts 8,000 Jobs as Zuckerberg Bets on AI
Enforcement, however, remains inconsistent. The Government Accountability Office has repeatedly flagged weaknesses in federal agency supply chain risk management. A 2024 GAO report found that 14 of 23 civilian agencies had not fully implemented foundational supply chain risk practices.
CISA was not specifically named in that report, but the GitHub exposure fits the pattern the GAO described. Cloud security misconfigurations are among the most common causes of federal data breaches. The Pentagon, the Department of Homeland Security, and multiple intelligence agencies have all experienced similar incidents in recent years.
In 2023, a misconfigured Microsoft server exposed sensitive military emails. In 2024, a contractor error left Transportation Security Administration data publicly accessible for months. What distinguishes the CISA incident is the agency’s specific mission.
CISA was created in 2018 to be the nation’s cyber defense agency. It runs programs like the Continuous Diagnostics and Mitigation system that monitors federal networks for threats. It issues binding operational directives that other agencies must follow.
When the agency that writes the rules breaks them, the credibility cost extends beyond one repository. Krebs, who broke the story, is one of the most respected cybersecurity journalists in the United States. His reporting has previously exposed major breaches at Target, Home Depot, and the Office of Personnel Management.
That he was the one to surface this incident, rather than CISA’s own internal detection systems, adds another layer of concern. GitGuardian’s public monitoring service, which detected the exposed repository, scans public GitHub commits for over 350 types of secrets. The company reports that it detected over 10 million secrets in public GitHub repositories in 2024 alone, a 67% increase from the previous year.
The CISA exposure is a high-profile example of a problem that is growing across all sectors. Why It Matters: A cybersecurity agency that cannot protect its own credentials undermines the trust of every federal agency, state government, and private company that relies on its guidance. If CISA cannot enforce basic secret hygiene on its own contractors, the binding directives it issues to other agencies lose force.
The incident also demonstrates that even well-resourced organizations fail at the fundamentals, which should prompt every organization to audit its own public repositories immediately. Key Takeaways: - A public GitHub repo named “Private-CISA” exposed plaintext passwords, SSH keys, and tokens for at least six months. - The credentials granted high-level access to AWS GovCloud, a cloud environment for sensitive government data. - GitHub’s built-in secret-scanning protections had been deliberately disabled by the repository’s administrator. - The incident follows a January breach in which CISA’s acting director uploaded sensitive documents to ChatGPT. Congressional oversight committees are likely to demand answers.
The House Homeland Security Committee and the Senate Homeland Security and Governmental Affairs Committee both have jurisdiction over CISA. Hearings on the agency’s internal security practices could come as soon as June. Lawmakers will want to know why the repository existed, who approved disabling GitHub’s protections, and whether any data was exfiltrated.
CISA’s inspector general will almost certainly open an investigation. The IG’s office has been active in reviewing agency cybersecurity practices and issued a critical report on CISA’s own network security in 2023. That report found weaknesses in access controls and patch management.
The GitHub exposure suggests those problems have not been fully resolved. The broader federal cybersecurity community will watch closely to see whether CISA imposes consequences on Nightwing or reviews its contractor oversight procedures. Federal contractors that mishandle sensitive data can face suspension or debarment.
Whether that happens here will signal how seriously the government treats contractor-caused breaches of its own cyber defense agency.
Key Takeaways
— - A public GitHub repo named 'Private-CISA' exposed plaintext passwords, SSH keys, and tokens for at least six months.
— - The credentials granted high-level access to AWS GovCloud, a cloud environment for sensitive government data.
— - GitHub's built-in secret-scanning protections had been deliberately disabled by the repository's administrator.
— - The incident follows a January breach in which CISA's acting director uploaded sensitive documents to ChatGPT.
Source: Ars Technica
