The agency that teaches the rest of the US government how not to leak credentials left its own AWS GovCloud admin keys, plaintext passwords, and a live RSA private key on a public GitHub repository for six months — and as of May 22, 2026, was still working to revoke the last of them. The Cybersecurity and Infrastructure Security Agency confirmed the exposure on May 18 after security researcher Guillaume Valadon of GitGuardian discovered it and brought it to journalist Brian Krebs, who broke the story publicly. Lawmakers in both the Senate and the House followed within 24 hours with formal demands for a classified briefing.
The exposed material was not the result of a sophisticated attack. A contractor employed by Nightwing — a Dulles, Virginia firm with a privileged, long-running role in CISA cyber operations and federal network defense — had been using a personal GitHub account as a file synchronization tool since November 2025, committing work files from a government environment to a public repository named, without apparent irony, "Private-CISA." By the time Valadon found it, the repository contained 844 megabytes of data spread across its Git history: administrative credentials for three AWS GovCloud accounts, a file titled "Important AWS Tokens.txt," a CSV listing plaintext usernames and passwords for dozens of internal CISA systems, SSH keys, Kubernetes configuration files, GitHub Actions workflows, internal documentation backups, and detailed records of how CISA builds, tests, and deploys its own software.
AWS GovCloud is Amazon's dedicated cloud environment for sensitive US government workloads, designed to keep federal data segregated from ordinary commercial infrastructure. Philippe Caturegli, founder of security consultancy Seralys, tested the exposed credentials independently and confirmed full admin-level access to three GovCloud accounts — including S3 buckets, EC2 instances, and a secrets manager that yielded still more keys. What he found, he told KrebsOnSecurity, was "as bad as you can get."
Contractor Disabled GitHub's Own Guardrails
The most damaging detail was not what the repository contained, but how it got there. Commit logs reviewed by Valadon showed that the contractor had deliberately disabled GitHub's built-in secret-scanning feature — the default protection that blocks users from publishing SSH keys and other credentials in public repositories.
"Passwords stored in plain text in a CSV, backups in git, explicit commands to disable GitHub secrets detection feature," Valadon wrote in a message to Krebs. He added that he initially assumed the repository was fake, the exposure too egregious to be real. After analyzing the content more thoroughly, he concluded: "This is indeed the worst leak that I've witnessed in my career."
Multiple independent researchers confirmed that at least some of the exposed credentials were genuine and functional. GitHub events data indicated the repository was never forked — which Valadon said limited the potential blast radius — but he and others were quick to note that the absence of confirmed forks does not mean the contents were not accessed or archived by other means. Adversaries who monitor GitHub's public event stream, which logs every commit and change to public repositories in real time, would have had access to the most sensitive material as it was committed, likely in late April 2026.
"We monitor that firehose of data for keys, and we have tools to try to figure out whose they are," said Dylan Ayrey, the creator of TruffleHog, an open-source tool for detecting exposed secrets in code repositories. "We have evidence attackers monitor that firehose as well. Anyone monitoring GitHub events could be sitting on this information."
How Does CISA's RSA Key Exposure Threaten Government Software?
Ayrey, who runs the security firm Truffle Security, brought an additional finding to KrebsOnSecurity on May 20 — five days after CISA was first notified of the breach, and two days after Krebs's initial public report. The agency had still not invalidated an RSA private key contained in the archive. That key, detailed in Truffle Security's post-incident analysis, granted access to a GitHub app owned by the CISA enterprise account and installed on the CISA-IT GitHub organization, which hosts the agency's internal software development infrastructure.
The consequences of an attacker obtaining that key were severe. "An attacker with this key can read source code from every repository in the CISA-IT organization, including private repos, register rogue self-hosted runners to hijack CI/CD pipelines and access repository secrets, and modify repository admin settings including branch protection rules, webhooks, and deploy keys," Ayrey told KrebsOnSecurity.
CI/CD — Continuous Integration and Continuous Delivery — refers to the automated pipelines software teams use to build, test, and deploy code. An attacker with write access to CISA's CI/CD infrastructure could, in principle, inject backdoors or malicious code into software subsequently distributed across federal systems.
After KrebsOnSecurity notified CISA of Ayrey's findings on May 20, the agency appears to have revoked the RSA key. But as of Ayrey's last check, other leaked credentials tied to critical security technologies deployed across CISA's portfolio remained unrotated. TechTimes and other outlets are declining to name those technologies publicly to avoid providing a roadmap to potential attackers.
CISA's written response was brief: "CISA is actively responding and coordinating with the appropriate parties and vendors to ensure any identified leaked credentials are rotated and rendered invalid and will continue to take appropriate steps to protect the security of our systems." The agency maintained that "there is no indication that any sensitive data was compromised as a result of this incident" — a statement security researchers described as relying on the hope that access logs captured the complete picture.
CISA's Own Guidance Violated by Its Own Contractor Ecosystem
The incident carries particular weight because the guidance CISA publishes for US government agencies and private-sector organizations specifically warns against the exact practices at issue: storing credentials in version control, failing to rotate keys promptly on exposure, and relying on developers to manually enable security protections rather than enforcing them at an organizational level.
"CISA publishes authoritative guidance on secrets management and third-party oversight," said Jacob Krell, senior director of secure AI solutions and cybersecurity at Suzu Labs. "Its own supply chain violated both. The agency now pushing three-day remediation deadlines for critical vulnerabilities took longer than three days to fully revoke a live RSA key."
James Wilson, enterprise technology editor for the Risky Business security podcast, noted that organizations using GitHub's enterprise tier can set top-down policies preventing employees from disabling secret-scanning within managed repositories. But his co-host Adam Boileau pointed out the limit of that protection: no enterprise policy can stop an employee from opening a personal GitHub account and operating entirely outside the organization's control plane — which is precisely what happened here.
Ben Harris, founder of WatchTowr, told CyberScoop that this class of exposure is "an unfortunately painful, but common and repeated, if not relentless, way that we see organizations inadvertently leak very sensitive credentials to the wider web."
Congress Presses Acting CISA Director
The political response arrived within 24 hours of Krebs's initial report. On May 19, Sen. Maggie Hassan (D-NH), a member of the Senate Homeland Security Committee, sent a formal letter to CISA Acting Director Nick Andersen requesting a classified briefing before June 5. Her letter posed a dozen specific questions about the breach, noting: "This reporting raises serious concerns regarding CISA's internal policies and procedures at a time of significant cybersecurity threats against US critical infrastructure."
Rep. Bennie Thompson (D-MS), the ranking member of the House Homeland Security Committee, and Rep. Delia Ramirez (D-IL), ranking member of the Subcommittee on Cybersecurity and Infrastructure Protection, co-signed a separate letter to Andersen the same day. Their letter drew a direct line to the national security threat landscape. "It's no secret that our adversaries — like China, Russia, and Iran — seek to gain access to and persistence on federal networks," they wrote. "The files contained in the 'Private-CISA' repository provided the information, access, and roadmap to do just that."
Both letters noted the context of significant workforce attrition at CISA, which has lost roughly one-third of its staff — approximately 1,000 employees, including most of its senior leaders — through a series of forced retirements, buyouts, and contract cancellations since early 2025. The agency's headcount has fallen to approximately 2,200. Thompson and Ramirez wrote that they worry "a substantially reduced workforce, coupled with the administration's indifference to security, created the conditions that allowed such a significant security lapse to occur."
As of publication, CISA has not responded to questions about when it expects to complete the full rotation of all compromised credentials, or whether a formal internal review of the contractor's practices has been initiated. Nightwing has referred all inquiries to CISA.
What CISA's Credential Leak Means for Any Organization Using Contractors
Security professionals contacted by TechTimes described the incident as a case study in a failure pattern that repeats across the private sector as frequently as the public: developers treating version control as a universal file-synchronization tool, dragging sensitive operational material into environments built for code. The difference in this case — that the contractor explicitly disabled GitHub's secret-scanning protections — points to a deliberate action, not an accidental one.
"Of all the things that keep me up at night, misconfigurations in GitHub are a recurring nightmare," Dave Mitchell, senior director of threat intelligence at Infoblox, told CyberScoop. The lesson for any organization with contractor access to sensitive cloud environments is concrete: enforce push protection through enterprise policy, audit contractor repository permissions independently of contractor self-reporting, and treat long-lived static credentials as a structural risk rather than an operational convenience.
For CISA, whose published guidance forms the baseline security standard for US critical infrastructure operators, the reputational damage extends beyond a single incident. The agency without a permanent director, operating at roughly two-thirds of its previous headcount, is now defending against the same class of credential exposure it has warned others to prevent.
Frequently Asked Questions
Was CISA hacked in the GitHub credential leak?
CISA has stated there is "no indication that any sensitive data was compromised" in the incident, but security researchers caution that CISA's access logs may not capture whether adversaries obtained and used the credentials before the repository was taken offline. Security consultant Philippe Caturegli independently confirmed that the exposed AWS GovCloud credentials were functional at admin level, and Dylan Ayrey noted that attackers are known to monitor GitHub's public event feed in real time.
What was exposed in the CISA GitHub repository?
The "Private-CISA" repository contained 844 megabytes of data including administrative credentials for three AWS GovCloud accounts, plaintext usernames and passwords for dozens of internal CISA systems, SSH keys, Kubernetes configuration files, GitHub Actions workflows, an RSA private key granting access to all CISA-IT code repositories, and detailed records of CISA's internal software build and deployment processes.
How did the CISA contractor leak government credentials on GitHub?
A Nightwing contractor appears to have used a personal GitHub account as a file synchronization tool between a work laptop and a home computer, committing sensitive operational files into a public repository from November 2025 until May 2026. The contractor had also deliberately disabled GitHub's built-in secret-scanning protection, which would otherwise have flagged or blocked the publication of credentials.
How long did the CISA GitHub credential exposure last?
The "Private-CISA" repository was publicly accessible from November 13, 2025 until approximately May 18, 2026 — a period of roughly six months. Some AWS GovCloud admin keys remained valid for approximately 48 hours after the repository was taken offline, and an RSA private key granting access to CISA-IT's code repositories remained unrevoked for at least five days after CISA received its first notification of the breach.
ⓒ 2026 TECHTIMES.com All rights reserved. Do not reproduce without permission.
