CISA Credentials, Sensitive Data Exposed in GitHub Repository
An outside contractor working for CISA inexplicably exposed a range of credentials to highly privileged government accounts in the Amazon Web Services (AWS) as well as to systems within the federal government’s top cybersecurity agency.
According to a report in Krebs on Security, the files were exposed for months in a GitHub repository called “Private-CISA,” which was created in November 2025 and remained open until this month, when researchers alerted the agency to the problem.
The data exposed by the government contractor Nightwing included files and credentials from CISA and its parent agency, the Department of Homeland Security (DHS). It included such secrets as cloud keys, plaintext passwords, tokens, and logs, as well as files with details regarding how CISA internally builds, tests, and deploys software, according to the report.
Guillaume Valadon, a researcher with GitGuardian, which scans public code repositories like GitHub and others for exposed secrets, alerted Krebs on Security to the leak in an email because the owner of the GitHub repository wasn’t responding to messages he sent regarding the security problem.
‘Worst Leak I’ve Witnessed’
“Passwords stored in plain text in a csv, backups in git, explicit commands to disable GitHub secrets detection feature,” Valadon wrote in the email. “I honestly believed that it was all fake before analyzing the content deeper. This is indeed the worst leak that I’ve witnessed in my career. It is obviously an individual’s mistake, but I believe that it might reveal internal practices.”
It’s a significant security incident for an agency that has been battered with cuts to both staff – about a third of its workers have been laid off, fired, or forced to resign – and budgets since the Trump Administration came into office early last year. CISA has also been without a permanent director since Jen Easterly resigned in January 2025 as the Trump Administration took over.
Valadon noted that commit logs in the GitHub account in question indicate that the CISA administrator disabled the default setting in GitHub that is used to stop users from publishing SSH key or other secrets in public code repositories.
Admin Credentials, Plaintext Passwords
According to the report, one of the exposed files was titled “importantAWStokens” and included the administrative credentials to three AWS GovCloud servers, while another, “AWS-Workspace-Firefox-Passwords.csv”, included plaintext usernames and passwords for dozens of internal CISA systems.
Philippe Caturegli, founder of Seralys, a security consultancy, tested the AWS keys to determine if they were still valid and which internal systems the exposed files would grant access to. One of the systems was called “LZ-DSO,” which Krebs on Security wrote likely was short for “Landing Zone DevSecOps,” CISA’s secure code development environment.
Easily Guessed Passwords Used
The Seralys founder also said the repository indicated that the contractor used easy-to-guess passwords – including credentials that comprised a platform’s name and the current year – across a range of internal resources.
The GitHub account that exposed the CISA credentials likely was used by an individual as a “working scratchpad or synchronization mechanism” and not a curated project repository, he said.
“The use of both a CISA-associated email address and a personal email address suggests the repository may have been used across differently configured environments,” Caturegli said in the report. “The available Git metadata alone does not prove which endpoint or device was used.”
Repository Taken Offline
The GitHub account that included the CISA repository was taken offline soon after Krebs on Security and Seralys notified the agency of the exposure, though Caturegli said the exposed AWS keys for some reason remained valid for another 48 hours.
A CISA spokesperson told Krebs on Security that “currently, there is no indication that any sensitive data was compromised as a result of this incident. While we hold our team members to the highest standards of integrity and operational awareness, we are working to ensure additional safeguards are implemented to prevent future occurrences.”
Nightwing declined to comment, referring questions to CISA.
Poor Security Hygiene
Dan Moore, senior director for customer identity and access management (CIAM) strategy and identity standards at FusionAuth, said a failure in proper security hygiene led to the exposure of the credentials and files.
“Ignoring responsible disclosures extended it,” Moore said. “But the static, long-lived credentials are the architectural problem that underlies both of those issues. An exposed static secret stays leaked until someone manually kills it. That’s a design error, not a simple mistake.”
A Learning Moment
The incident presents a learning moment for system administrators and defenders that key use needs to be audited on an ongoing basis and key lifespans need to align with system criticality and not user convenience, Tim Mackey, head of software supply chain risk strategy at Black Duck, told Security Boulevard.
“Everyone who’s ever taken security awareness training is groaning in disbelief,” Mackey said. “What we see with this incident is a government user, with a Git-enabled sticky note, containing sensitive passwords tucked under the keyboard. And not just any government user, but one affiliated with CISA. Obviously, we will never know the extent of the potential damage these keys and passwords represent, but it’s clear that key rotation isn’t part the run book for these systems, or that it was much longer than one would expect for highly privileged accounts.”
