A contractor for the Cybersecurity & Infrastructure Security Agency (CISA) maintained a public GitHub repository for months that exposed credentials to highly privileged AWS GovCloud accounts and dozens of internal government systems, according to security researchers who discovered the leak.

The repository, named "Private-CISA," contained what security experts are calling one of the most egregious government data leaks in recent history. The exposed files included cloud keys, tokens, plaintext passwords, logs and other sensitive CISA assets that could have given attackers deep access to the agency responsible for protecting America's critical infrastructure.

Guillaume Valadon, a researcher with security firm GitGuardian, discovered the leak on May 15 and contacted KrebsOnSecurity after the repository owner failed to respond to alerts. The exposed credentials represented "a textbook example of poor security hygiene," Valadon said, noting that commit logs showed the CISA administrator had deliberately disabled GitHub's default setting that blocks users from publishing SSH keys or other secrets in public repositories.

"Passwords stored in plain text in a csv, backups in git, explicit commands to disable GitHub secrets detection feature," Valadon wrote. "I honestly believed that it was all fake before analyzing the content deeper. This is indeed the worst leak that I've witnessed in my career."

Administrative Access to Critical Systems

The repository contained a file titled "importantAWStokens" with administrative credentials to three Amazon AWS GovCloud servers. Another exposed file, "AWS-Workspace-Firefox-Passwords.csv," listed plaintext usernames and passwords for dozens of internal CISA systems, including one called "LZ-DSO," which appears to be short for "Landing Zone DevSecOps" — the agency's secure code development environment.

Philippe Caturegli, founder of security consultancy Seralys, tested the AWS keys to determine their validity and access level. He confirmed the exposed credentials could authenticate to three AWS GovCloud accounts at high privilege levels. The archive also included plaintext credentials to CISA's internal "artifactory" — essentially a repository of all code packages used to build software.

"That would be a prime place to move laterally," Caturegli said. "Backdoor in some software packages, and every time they build something new they deploy your backdoor left and right."

Months of Exposure

The Private CISA repository was created on November 13, 2025, meaning the sensitive data was publicly accessible for approximately six months. The repository was maintained by an employee of Nightwing, a government contractor based in Dulles, Virginia. Nightwing declined to comment, directing inquiries to CISA.

The GitHub account was taken offline shortly after KrebsOnSecurity and Seralys notified CISA about the exposure, but the exposed AWS keys remained valid for another 48 hours — a delay that security experts found concerning.

Caturegli suspects the contractor was using the GitHub repository to synchronize files between a work laptop and home computer, given the regular commits since November 2025. The exposed passwords followed predictable patterns, with many consisting of each platform's name followed by the current year.

Agency Under Strain

The incident comes as CISA operates with significantly reduced capacity. The agency has lost nearly a third of its workforce since the beginning of the second Trump administration, which forced a series of early retirements, buyouts, and resignations across various divisions.

In response to questions, a CISA spokesperson said the agency is investigating the situation. "Currently, there is no indication that any sensitive data was compromised as a result of this incident," the spokesperson wrote. "While we hold our team members to the highest standards of integrity and operational awareness, we are working to ensure additional safeguards are implemented to prevent future occurrences."

Broader Implications

Security experts say the incident reveals systemic problems with government cybersecurity practices. The deliberate disabling of GitHub's secret detection features, combined with the storage of plaintext passwords and the extended duration of the exposure, suggests fundamental security hygiene failures.

"What I suspect happened is [the CISA contractor] was using this GitHub to synchronize files between a work laptop and a home computer," Caturegli said. "This would be an embarrassing leak for any company, but it's even more so in this case because it's CISA."

The irony is stark: the agency tasked with securing America's critical infrastructure from cyber threats exposed its own most sensitive credentials to anyone with internet access. The incident raises questions about oversight of government contractors and the effectiveness of security protocols within agencies responsible for national cybersecurity.

For an agency that regularly issues advisories about proper credential management and warns organizations about the dangers of exposed secrets, the leak represents a significant credibility challenge. The exposed artifactory access, in particular, could have enabled sophisticated supply chain attacks — precisely the type of threat CISA warns others to guard against.