A contractor working for the Cybersecurity and Infrastructure Security Agency (CISA) maintained a public GitHub repository that exposed credentials to multiple high-privilege AWS GovCloud accounts, along with a large volume of internal CISA system data. The repository, named “Private-CISA,” was taken offline over the weekend of May 17-18, 2026, after researchers alerted the agency to the exposure.

What Was Exposed

The repository contained a broad range of sensitive material, including cloud keys, authentication tokens, plaintext passwords, log files, and other internal CISA assets. Among the most critical disclosures:

  • A file titled “importantAWStokens” containing administrative credentials to three AWS GovCloud servers.
  • A CSV file named “AWS-Workspace-Firefox-Passwords.csv” listing plaintext usernames and passwords for dozens of internal CISA systems.
  • Credentials to CISA’s internal Artifactory instance, which serves as the agency’s central repository for software packages used in build and deployment pipelines.
  • Files describing how CISA builds, tests, and deploys software internally, including access to what appears to be the agency’s Landing Zone DevSecOps (LZ-DSO) environment.

Discovery and Verification

Guillaume Valadon, a researcher at GitGuardian, flagged the repository on May 15 after his firm’s automated scanning detected the exposed secrets. Valadon noted that the repository owner had explicitly disabled GitHub’s built-in secret detection feature, which is enabled by default. Commit logs confirmed this deliberate configuration change.

Philippe Caturegli, founder of security consultancy Seralys, independently verified that the exposed AWS credentials could authenticate to three GovCloud accounts at a high privilege level. Caturegli also noted that many of the exposed passwords followed a predictable pattern: the platform name followed by the current year, a practice he described as a serious security threat even in the absence of any external exposure.

The Private-CISA repository was created on November 13, 2025, according to Git metadata. The contractor’s personal GitHub account dates to September 2018. The account was deactivated shortly after CISA was notified, but Caturegli reported that the exposed AWS keys remained valid for roughly 48 hours after the repository was taken down.

Risk to CISA Infrastructure

Caturegli highlighted the Artifactory access as particularly dangerous. An attacker able to authenticate to that system could insert backdoored packages into CISA’s software supply chain, causing malicious code to be deployed automatically each time the agency builds new software. He also noted that the high-privilege cloud credentials would provide significant lateral movement opportunities within CISA’s cloud environments.

Responsible Party and Response

The GitHub account has been attributed to an employee of Nightwing, a government contractor headquartered in Dulles, Virginia. Nightwing declined to comment, directing inquiries to CISA. A CISA spokesperson acknowledged awareness of the incident and stated that the agency is investigating, adding that there is currently no indication sensitive data was compromised. CISA has not addressed questions about the total duration of the exposure or whether the credentials were accessed by unauthorized parties.

The incident comes as CISA is operating at significantly reduced staffing levels, having lost nearly a third of its workforce since the start of 2025 through a combination of early retirements, buyouts, and resignations.