CISA Contractor Exposes Highly Sensitive Credentials in Public GitHub Repository A contractor for the Cybersecurity and Infrastructure Security Agency (CISA) inadvertently exposed highly privileged credentials and internal system details in a public GitHub repository, marking one of the most severe government data leaks in recent history. The repository, named "Private-CISA," was flagged on May 15 by security researcher Guillaume Valadon of GitGuardian after the account owner failed to respond to automated alerts about exposed secrets. The leaked files included administrative credentials for three AWS GovCloud accounts, plaintext passwords for dozens of internal CISA systems such as the agency’s secure code development environment (Landing Zone DevSecOps) and access tokens for CISA’s internal artifactory, a repository of software packages. Security experts confirmed the exposed credentials were valid and could have allowed attackers to move laterally within CISA’s infrastructure, potentially embedding backdoors in software builds. The repository, maintained by a Nightwing contractor, contained poor security practices, including plaintext passwords in CSV files, disabled GitHub secret detection, and easily guessable credentials (e.g., platform names followed by the current year). Metadata suggested the account was used as a personal synchronization tool between work and home devices, with commits dating back to November 2025. The GitHub account was created in September 2018 but was taken offline shortly after CISA was notified. CISA acknowledged the incident, stating there was no evidence of sensitive data compromise but confirmed an ongoing investigation. The exposed AWS keys remained active for 48 hours after the repository was removed. The agency, already operating with reduced staffing and budget, faces heightened scrutiny over its internal security controls following the breach.

CISA Suffers Major Data Leak via Exposed GitHub Repository A public GitHub repository named “Private-CISA” exposed highly sensitive internal credentials and systems belonging to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), marking one of the most severe government data leaks in recent history. Security researcher Guillaume Valadon discovered the repository, which contained a trove of critical data, including: - AWS GovCloud administrative credentials for three accounts - AWS access keys and tokens (including a file labeled “importantAWStokens”) - Plaintext usernames and passwords for internal CISA systems - A CSV file (“AWS-Workspace-Firefox-Passwords.csv”) with stored login credentials - Credentials for CISA’s Landing Zone DevSecOps (LZ-DSO) and other internal systems - SSH keys and authentication details for CISA/DHS infrastructure - Access credentials for an internal Artifactory software repository Valadon, who described the leak as “the worst [he’d] witnessed in [his] career,” initially suspected the data was fake due to its sensitivity. However, multiple security researchers confirmed its authenticity, with some credentials reportedly functional. The repository, created in mid-November 2025, was likely exposed since its inception. The repository was maintained by government contractor Nightwing, which declined to comment and referred inquiries to CISA. After researchers alerted the agency, the repository was locked down. CISA acknowledged the incident, stating there was “no indication that any sensitive data was compromised” but confirmed it was implementing additional safeguards to prevent future breaches. The exposure revealed internal practices for how CISA builds and deploys software, raising concerns about operational security within federal cybersecurity agencies. The full duration of the leak remains unclear.

The article highlights a cyber espionage campaign by the China-linked APT group Salt Typhoon, exploiting unpatched, end-of-life (EoL) network perimeter devices (routers, VPNs, firewalls) across U.S. and allied networks. These devices, often forgotten due to technical debt, served as entry points for long-term persistence and credential theft. The attackers employed 'living off the land' tactics, operating invisibly within systems designed to defend against them, compromising national resilience. The campaign underscores a systemic failure in asset management and lifecycle policies, where EoL hardware—though obsolete for administrators—remained prime targets for adversaries. The breach enabled sustained espionage, with potential access to sensitive government, military, or critical infrastructure data. While no specific data exfiltration details were disclosed, the tactical sophistication suggests high-stakes intelligence gathering, aligning with nation-state objectives. The incident exposes vulnerabilities in reactive defenses and the urgent need for proactive threat hunting and zero-trust architectures.