Catastrophic Security Lapse: CISA Contractor Exposes Sensitive Infrastructure via Public GitHub Repository

In a breach described by veteran security researchers as one of the most egregious government data leaks in recent history, a contractor for the Cybersecurity and Infrastructure Security Agency (CISA) inadvertently exposed highly privileged credentials and internal documentation to the public internet. The leak, which resided in a public GitHub repository for months, potentially provided malicious actors with the keys to the kingdom, including administrative access to AWS GovCloud accounts and blueprints for the agency’s internal software development pipeline.

The incident underscores a harrowing reality in federal cybersecurity: even the agencies tasked with protecting the nation’s digital infrastructure are not immune to the fundamental, often human-driven errors that plague the private sector.

The Discovery: A Red Flag in the Code

The exposure came to light on May 15, when Guillaume Valadon, a researcher at the security firm GitGuardian, identified the repository. GitGuardian maintains automated systems that continuously scan public code repositories, such as GitHub, to identify exposed API keys, credentials, and sensitive configuration files.

The repository, aptly and alarmingly named "Private-CISA," was not a secure, private development environment but a public-facing archive. According to Valadon, the sheer volume of sensitive data was so immense that he initially suspected it might be a simulation or a "honeypot" designed to catch unsuspecting hackers. Upon deeper analysis, however, it became clear that the data was authentic, current, and highly dangerous.

"Passwords stored in plain text in a CSV, backups in Git, explicit commands to disable GitHub’s secret detection feature," Valadon noted in his correspondence. "I honestly believed that it was all fake before analyzing the content deeper. This is indeed the worst leak that I’ve witnessed in my career."

Chronology of the Exposure

The timeline of the breach suggests a long-term failure in operational security protocols:

• September 2018: The CISA contractor establishes a personal GitHub account.
• November 13, 2025: The "Private-CISA" repository is created, initiating the period of exposure.
• November 2025 – May 2026: The contractor uses the repository as a synchronization "scratchpad," frequently committing work-related files, credentials, and configuration logs from various environments.
• May 15, 2026: GitGuardian’s automated systems flag the repository. After failing to receive a response from the account owner, Valadon reaches out to security experts and stakeholders to alert them to the urgency of the situation.
• Mid-May 2026: KrebsOnSecurity and Seralys independently verify the severity of the leak and notify CISA.
• Late May 2026: Following the notification, the repository is taken offline. However, critical AWS credentials remain valid for an additional 48 hours, leaving a window of vulnerability even after the public visibility of the repo was terminated.

Anatomy of the Breach: What Was Exposed?

The contents of the "Private-CISA" repository read like a roadmap for a state-sponsored cyberattack. Security consultant Philippe Caturegli, founder of Seralys, conducted an independent analysis of the exposed materials to determine the scope of the potential damage.

The "Important" Credentials

The repository contained a file titled "importantAWStokens," which held high-level administrative credentials for three separate AWS GovCloud servers. GovCloud is a specialized environment designed by Amazon to host sensitive government data and workloads, adhering to strict regulatory compliance standards. Access to these environments is typically restricted to authorized personnel and is meant to be heavily fortified.

Plaintext Passwords and Internal Systems

Beyond cloud keys, the repository contained a file labeled "AWS-Workspace-Firefox-Passwords.csv." This document listed plaintext usernames and passwords for dozens of internal CISA systems. Among the systems identified was "LZ-DSO," a reference to "Landing Zone DevSecOps"—the core, secure environment where CISA develops and tests the software used to manage federal infrastructure security.

Metadata and Hygiene

The metadata within the repository reveals a disturbing pattern of "security hygiene." The contractor had explicitly disabled GitHub’s native secret-scanning features, which are designed to prevent users from accidentally pushing sensitive keys to public repositories. Furthermore, many of the passwords found in the repository followed an amateurish naming convention: the name of the platform followed by the current year (e.g., [Platform]2026). Such practices significantly lower the barrier for entry for any attacker performing credential stuffing or brute-force attacks.

The Strategic Threat: Lateral Movement

The most alarming aspect of the breach, according to experts, is the exposure of CISA’s internal "artifactory." An artifactory serves as a central repository for the code packages and dependencies that an organization uses to build its software.

If an attacker were to gain access to this repository, they could perform "lateral movement" or "supply chain poisoning." By injecting malicious code—a backdoor—into the software packages used by the agency, an attacker could ensure that their code is automatically deployed every time the agency updates its internal systems.

"That would be a prime place to move laterally," Caturegli explained. "Backdoor some software packages, and every time they build something new, they deploy your backdoor left and right."

Official Response and Agency Context

In a brief statement, a CISA spokesperson acknowledged the breach: "Currently, there is no indication that any sensitive data was compromised as a result of this incident. While we hold our team members to the highest standards of integrity and operational awareness, we are working to ensure additional safeguards are implemented to prevent future occurrences."

The contractor involved was identified as an employee of Nightwing, a Dulles, Virginia-based government services firm. When contacted for comment, Nightwing directed all inquiries back to CISA.

The timing of this incident is particularly sensitive for the agency. CISA is currently navigating a period of profound internal instability. Following the start of the second Trump administration, the agency has lost approximately one-third of its workforce due to a combination of budget cuts, buyouts, and forced resignations. This "brain drain" has left the agency’s remaining divisions stretched thin, potentially impacting the rigorous oversight required to manage high-level contractors.

The Broader Implications for Federal Cybersecurity

This incident serves as a stark reminder that the security of a network is only as strong as its weakest link—which, in this case, was a single contractor’s convenience-driven workflow. The use of a public repository to synchronize files between home and work environments demonstrates a fundamental failure to grasp the risks inherent in modern cloud development.

Lessons for the Future

1. Strict Enforcement of Secret Detection: Federal agencies must enforce the use of automated secret scanning for all code repositories, regardless of whether they are labeled "private" or "public."
2. Contractor Oversight: The incident highlights the need for more stringent security audits of third-party contractors. If a contractor is handling sensitive infrastructure, their development environment must be strictly controlled, audited, and air-gapped from personal public-facing accounts.
3. The "Scratchpad" Danger: Organizations must educate employees and contractors on the dangers of using public platforms as working directories. The "Private-CISA" repository was not an intended public release, but the functionality of the platform made it public by default.
4. Credential Rotation: The fact that AWS keys remained valid for 48 hours after the repository was taken down indicates a failure in rapid incident response and credential revocation procedures.

As CISA continues to investigate, the cybersecurity community remains focused on whether the "Private-CISA" repository was indexed by threat actors before it was taken offline. For now, the agency is left to grapple with the fallout of an embarrassment that underscores the fragility of federal digital defenses in an era of persistent, sophisticated, and often opportunistic cyber threats.