CISA credential leak GitHub government security AWS

CISA Left Its Passwords in a Public GitHub Repo Called 'Private-CISA'

20 May 2026

CISA, the US cybersecurity agency, had a trove of sensitive credentials — including plaintext passwords, SSH private keys, and tokens — exposed in a public GitHub repository called "Private-CISA" since at least November 2025, with GitHub's default secret-protection features deliberately disabled. Security testing confirmed the leaked credentials provided high-privilege access to multiple AWS GovCloud accounts, and the repo appears to have been managed by CISA contractor Nightwing. The incident marks yet another security embarrassment for CISA, following a separate January 2026 incident in which the acting director uploaded sensitive government documents to ChatGPT.

America's cybersecurity agency has managed to leave a trove of plaintext passwords, SSH private keys, authentication tokens, and other sensitive credentials sitting in a publicly accessible GitHub repository since at least November 2025. The agency responsible for protecting US critical infrastructure from exactly this kind of thing. Yes, really.

Security journalist Brian Krebs broke the story after being tipped off by Guillaume Valadon at GitGuardian, whose automated public code scanning tools spotted the repo. Valadon had already tried contacting the repository owner directly and got nothing back, so he went to Krebs instead.

The repository was named, with some audacity, 'Private-CISA'. It was not private. According to Valadon, the commit history shows that GitHub's built-in secret scanning protections, which exist specifically to stop developers accidentally pushing credentials into public view, had been manually disabled by whoever administered the repo.

This wasn't just theoretical exposure. Seralys founder Philippe Caturegli independently tested the leaked credentials and confirmed they worked, gaining access to multiple Amazon Web Services GovCloud accounts at what he described as a high privilege level. GovCloud, for context, is AWS's environment built for US government workloads. Not exactly a sandbox.

The repo appears to have been managed by Nightwing, a Virginia-based contractor working with CISA. Nightwing has declined to comment, pointing questions back toward CISA instead.

For an agency whose entire purpose is cybersecurity, CISA has been having a remarkably rough time of it lately. Back in January, acting CISA Director Madhu Gottumukkala uploaded sensitive government documents to ChatGPT, having previously secured a personal exemption from the agency's own policy banning staff from using the tool. He was removed from his position in February. The credentials leak makes two significant own-goals in under six months.

The repository has since been taken offline.