In a discovery that security professionals are calling one of the most egregious data leaks in recent government history, a public GitHub repository maintained by a contractor for the Cybersecurity and Infrastructure Security Agency (CISA) has been found to harbor highly sensitive, administrative-level credentials. The repository, aptly and ironically named “Private-CISA,” contained plaintext passwords, cloud access keys, and internal configuration files that could have allowed malicious actors to compromise critical federal infrastructure.
The breach, which was shuttered only after independent security researchers intervened, highlights a catastrophic breakdown in basic security hygiene within the agency tasked with defending the nation’s digital borders.
The Scope of the Exposure: A Blueprint for Disaster
The “Private-CISA” repository was not a mere collection of code; it was, by all accounts, a master key to the agency’s internal digital operations. Discovered by researchers at the security firm GitGuardian, the repository served as a public archive of CISA’s software development and deployment processes.
According to Guillaume Valadon, a researcher at GitGuardian, the repository contained a staggering array of sensitive assets. Among the most damaging were administrative credentials for several Amazon Web Services (AWS) GovCloud accounts. GovCloud is a specialized environment designed by Amazon specifically to host sensitive data and applications for U.S. government agencies, requiring a higher level of security compliance.
Beyond cloud keys, the repository contained files such as AWS-Workspace-Firefox-Passwords.csv. This file, as the name suggests, listed plaintext usernames and passwords for dozens of internal CISA systems. Of particular concern was the exposure of credentials for the “LZ-DSO”—or “Landing Zone DevSecOps”—which acts as the agency’s secure code development environment. By exposing the keys to the kingdom, the contractor effectively handed an adversary a roadmap to inject malicious code into the very software that CISA uses to secure federal networks.
Chronology of a Security Failure
The timeline of the exposure reveals a prolonged period of vulnerability that went unnoticed by agency oversight mechanisms.
- September 2018: The contractor, an employee of the Dulles, Virginia-based firm Nightwing, creates the GitHub account that would later host the illicit repository.
- November 13, 2025: The “Private-CISA” repository is established. Over the following months, the contractor uses this public space as a synchronization scratchpad, pushing commits that included work-related files between home and office environments.
- May 15, 2026: Guillaume Valadon of GitGuardian, whose systems automatically flag exposed secrets, identifies the repository. After failing to receive a response from the repository owner, Valadon reaches out to KrebsOnSecurity to escalate the issue.
- May 2026 (Mid-Weekend): Following inquiries from security researchers and media, the repository is taken offline.
- Post-Removal: Security consultant Philippe Caturegli, working in tandem with the investigation, discovers that while the repository was deleted, the AWS GovCloud keys remained active and valid for an additional 48 hours, leaving a window of opportunity for potential exploitation.
Anatomy of the Leak: Poor Hygiene and Disabled Safeguards
Perhaps the most damning aspect of this incident is not just that the data was exposed, but the active steps taken to bypass security features. Analysis of the repository’s commit logs indicates that the contractor intentionally disabled GitHub’s native “secret scanning” feature. This feature is designed to automatically detect and alert users if they attempt to push SSH keys, API tokens, or other sensitive credentials to a public repository.
“Passwords stored in plain text in a CSV, backups in git, explicit commands to disable GitHub secrets detection feature,” Valadon noted in his analysis. “I honestly believed that it was all fake before analyzing the content deeper. This is indeed the worst leak that I’ve witnessed in my career.”
Further investigation by Philippe Caturegli of the consultancy Seralys revealed a pattern of behavior consistent with a user treating a public repository as a personal “Dropbox” or synchronization tool. The presence of both work-related and personal email addresses within the Git metadata suggests a blurring of professional and personal computing environments.
The repository also revealed the use of remarkably weak, predictable password patterns. Many of the exposed credentials followed a structure of the platform’s name followed by the current year. In the world of cybersecurity, such practices are considered elementary errors, yet here they were applied to the highest levels of government infrastructure.
Expert Analysis: The Threat of Lateral Movement
The implications of this breach extend far beyond the immediate loss of credentials. The exposure of CISA’s “artifactory”—a central repository for all code packages used by the agency—poses a systemic risk.

As Caturegli explains, the artifactory is the “prime place to move laterally.” If an attacker had accessed these credentials, they could have introduced backdoors into software packages that the agency relies upon. Because these packages are then deployed across various systems, the backdoor would be pushed out automatically, creating a persistent, hidden foothold within the federal government’s network.
“Backdoor in some software packages, and every time they build something new they deploy your backdoor left and right,” Caturegli warned. By targeting the build environment rather than the individual servers, an adversary could maintain a presence that is incredibly difficult to detect or remediate.
Official Responses and Agency Context
In response to inquiries regarding the breach, a CISA spokesperson issued a brief statement: “Currently, there is no indication that any sensitive data was compromised as a result of this incident. While we hold our team members to the highest standards of integrity and operational awareness, we are working to ensure additional safeguards are implemented to prevent future occurrences.”
The contractor involved, Nightwing, has remained silent, declining to comment on the internal disciplinary measures or the circumstances that led their employee to use a public repository for classified agency credentials.
The incident occurs against a backdrop of significant instability at CISA. Since the beginning of the second Trump administration, the agency has seen a massive exodus of talent, losing nearly a third of its workforce due to budget constraints, forced early retirements, and mass resignations. This “brain drain” has left the agency’s cybersecurity division operating at a fraction of its capacity, raising questions about whether the agency has the bandwidth to properly oversee the security practices of its numerous private-sector contractors.
Broader Implications for Federal Cybersecurity
The “Private-CISA” incident is a sobering reminder that the greatest threats to national security are often not sophisticated foreign intelligence services, but the mundane, preventable errors of individuals with privileged access.
When a contractor—the very people hired to implement robust security—demonstrates a disregard for the most basic principles of secure code management, the entire security architecture of an agency is compromised. This breach effectively turns the government’s own procurement and development chain against it.
For CISA, which has long advocated for "Secure by Design" principles, the embarrassment of this leak is profound. The agency is now tasked with not only remediating the specific credentials that were exposed but also conducting a forensic audit of the entire development ecosystem used by its contractors.
As the agency attempts to recover from this blow, the incident serves as a critical case study for the entire federal government: the reliance on third-party contractors necessitates rigorous, automated, and continuous monitoring. Without a culture of strict security hygiene and the enforcement of mandatory safeguards, even the most advanced defensive tools are rendered useless by a single public repository.
The question remains: how many other “Private-CISA” repositories are currently sitting in the public cloud, waiting to be discovered? As of this writing, the federal government has yet to announce a broader sweep of contractor code repositories, leaving the cybersecurity community to wonder if this is an isolated disaster or the tip of a much larger, more dangerous iceberg.

