In stunning display of stupid, secret CISA credentials found in public GitHub repo
Source: Ars Technica
Overview
Security researcher Brian Krebs reports that the U.S. Cybersecurity & Infrastructure Security Agency (CISA) had a large collection of plaintext passwords, SSH private keys, tokens, and other sensitive assets exposed in a public GitHub repository since at least November 2025.
Discovery of the Repository
The now‑offline public repo, named “Private‑CISA,” was brought to Krebs’ attention by GitGuardian researcher Guillaume Valadon. Valadon discovered the repository through GitGuardian’s public code scans and contacted Krebs after receiving no response from the repo’s owner.
In an email to Krebs, Valadon noted that the repository’s commit logs showed GitHub’s default secret‑detection protections had been disabled by the repository’s administrator.
Exploitation and Impact
Testing by Philippe Caturegli, founder of Seralys, confirmed that the credentials in the Private‑CISA repo could be used to gain access to multiple Amazon Web Services GovCloud accounts at a high privilege level. This demonstrated that the leak was neither a joke nor a hoax.
Response and Previous Incidents
The repository appeared to be managed by Nightwing, a Virginia‑based CISA contractor. Nightwing has not issued a public comment, directing inquiries back to CISA.
This incident is not the first major security lapse involving CISA. Earlier in the year, acting CISA Director Madhu Gottumukkala uploaded sensitive government documents to ChatGPT after receiving an exemption from agency policy prohibiting the use of the tool. Gottumukkala was removed from his role in February.