Cyber Incident Victim: Cybersecurity and Infrastructure Security Agency

The public GitHub repository named “Private‑CISA” was created on November 13 2025 and remained accessible until mid‑May 2026, maintained by a contractor supporting the Cybersecurity and Infrastructure Security Agency and the Department of Homeland Security. The repository contained roughly 844 megabytes of data, with 498 megabytes in the active working tree and the remainder in Git history and objects. On May 14 2026, GitGuardian researcher Guillaume Valadon discovered the exposure and reported it to CERT/CC the same day, then directly to CISA on May 15. Security consultant Philippe Caturegli and other researchers examined the contents and confirmed that several AWS GovCloud administrative credentials were still active and could authenticate to privileged environments, with some keys remaining valid for nearly 48 hours after CISA was notified. After being contacted by researchers and journalists, CISA worked with GitHub to restrict access, and the repository was taken offline on May 15 2026, approximately 26 hours after Valadon’s initial discovery. The contractor reportedly responsible, Nightwing, declined public comment and referred inquiries to CISA.

The exposed data included AWS GovCloud access keys, tokens, plaintext usernames and passwords for internal CISA systems, CSV exports of browser‑saved passwords, credentials for the Landing Zone DevSecOps environment, authentication data for internal Artifactory and other development infrastructure, CI/CD build logs, Kubernetes manifests, ArgoCD configuration, Terraform infrastructure code, GitHub Actions workflows, internal documentation, and scripts for managing cloud and container environments. Researchers described the repository as a “catalogue of unsafe practices,” noting plaintext passwords in CSV files, Git backups committed directly into the repo, instructions to disable GitHub’s native secret scanning, and easily guessed password patterns that combined platform names with the current year. Multiple researchers independently verified the authenticity of the data and reported that at least some credentials worked against CISA‑linked GovCloud infrastructure before being revoked. The leak prompted a sharp reaction from the security community, with several researchers calling it one of the most serious government credential exposures they had encountered. Industry groups and experts urged CISA to release a detailed post‑incident review explaining which systems were affected, what testing had been performed to look for potential compromise, and how the agency was tightening controls over contractor access and code repositories. On Capitol Hill, lawmakers began demanding briefings and written responses from CISA leadership, asking how long the credentials were exposed, whether any malicious access occurred, what third‑party environments might have been at risk, and how CISA was updating policies for managing secrets in code and configuration files, with some members signaling interest in broader oversight of federal cloud and DevSecOps practices and contractor requirements.

CISA acknowledged the incident and stated it was conducting an investigation, maintaining that it had not found evidence so far that sensitive data was compromised or misused as a result of the exposure. A spokesperson said the agency holds its team members to the highest standards of integrity and operational awareness and is working to ensure additional safeguards are implemented to prevent similar incidents. As of the article’s date, CISA had not yet published a full technical incident report or a detailed timeline of remediation. The exposure highlighted a structural weakness in how federal agencies manage secrets across complex cloud and DevSecOps environments, noting that the repository aggregated a broad range of highly privileged credentials, scripts, and infrastructure descriptions in one public location, amplifying potential risk. The incident also exposed a gap between stated best practices and on‑the‑ground implementation among government contractors, with the presence of plaintext passwords, weak password patterns, disabled secret scanning, and Git history containing backups suggesting basic hygiene controls were either not enforced or easily bypassed. Given CISA’s role in setting and promoting federal cybersecurity standards, reliance on contractors with lax operational practices creates reputational and policy challenges, and lawmakers’ and industry groups’ calls for a detailed incident report reflect concern that, absent concrete findings and corrective actions, similar repositories could exist in other programs or agencies not yet discovered.