On May 15, a GitGuardian researcher escalated a warning that should never have existed: CISA-linked passwords, cloud keys, and access tokens were sitting in a public GitHub repository tied to a federal cybersecurity contractor.
The exposure was first reported by independent security journalist Brian Krebs and later covered by TechCrunch, which said the exposed material included credentials for systems belonging to CISA and its parent agency, the Department of Homeland Security. The agency says it is investigating and has “no indication” sensitive data was compromised.
May 15: GitGuardian flags a public repo called “Private-CISA”
Guillaume Valadon, a security researcher at GitGuardian, found the exposed secrets in spreadsheets and other files made publicly accessible in a GitHub repository maintained by an employee working for a CISA contractor, according to the reports.
The repository was named “Private-CISA”, according to KrebsOnSecurity. That name did not match its visibility.
The exposed material reportedly included:
| Reported exposed material | Why it matters |
|---|---|
| Plaintext passwords in spreadsheet files | Passwords stored this way can be copied, searched, and reused without cracking. |
| Cloud keys and access tokens | If valid, they can authenticate directly into cloud or internal systems. |
| Administrative credentials for three AWS GovCloud servers | Krebs reported that Philippe Caturegli validated access at a high privilege level. |
| Credentials for internal CISA systems, including LZ-DSO | Krebs reported this appears to refer to “Landing Zone DevSecOps,” CISA’s secure code development environment. |
| Credentials to CISA’s internal artifactory | Krebs described it as a repository of code packages used to build software. |
Valadon told Krebs he tested some keys to confirm they were valid. He said he contacted Krebs because the contractor maintaining the GitHub environment did not respond to alerts.
“Passwords stored in plain text in a csv, backups in git, explicit commands to disable GitHub secrets detection feature,” Valadon wrote, according to Krebs. “I honestly believed that it was all fake before analyzing the content deeper. This is indeed the worst leak that I’ve witnessed in my career. It is obviously an individual’s mistake, but I believe that it might reveal internal practices.”
That last sentence is the uncomfortable part for CISA. This was not an obscure agency with weak cyber expectations. CISA is the U.S. government agency responsible for cybersecurity across the civilian federal network and routinely advises organizations on basic security hygiene, including keeping passwords in secured password managers rather than loose spreadsheets.
After missed alerts, the GitHub repo was taken offline
The repository was maintained by an employee of Nightwing, a government contractor based in Dulles, Virginia, according to Krebs. Nightwing declined to comment to Krebs and directed questions to CISA.
The account history adds another question. Krebs reported that the Private-CISA repository was created on November 13, 2025, while the contractor’s GitHub account dated back to September 2018. CISA has not responded publicly, in the supplied reports, to questions about the full duration of the exposure.
The GitHub account containing the repository was taken offline shortly after KrebsOnSecurity and Seralys notified CISA, according to Krebs. But Philippe Caturegli, founder of Seralys, told Krebs that the exposed AWS keys remained valid for another 48 hours.
Caturegli’s assessment focused on what an attacker could do if the keys were abused, not just whether the files looked embarrassing.
“That would be a prime place to move laterally,” he told Krebs, referring to CISA’s internal artifactory. “Backdoor in some software packages, and every time they build something new they deploy your backdoor left and right.”
That is the central risk. A leaked credential is not just a leaked password if it reaches build systems, cloud accounts, or internal package repositories. It can become a route into the software production chain.
Related MLXIO coverage includes Leaked AWS GovCloud Keys Drag CISA Into Congress Fight and Microsoft Defender Zero-Days Hand Hackers SYSTEM Keys, both useful context for readers tracking privileged-access failures and public-sector security fallout.
CISA says it is investigating, but key answers are missing
CISA spokesperson Marco DiSandro told TechCrunch the agency is “aware of the reported exposure and is continuing to investigate the situation.” He added that there is “no indication that any sensitive data was compromised as a result of this incident.”
Krebs published a similar CISA statement:
“Currently, there is no indication that any sensitive data was compromised as a result of this incident,” the CISA spokesperson wrote. “While we hold our team members to the highest standards of integrity and operational awareness, we are working to ensure additional safeguards are implemented to prevent future occurrences.”
That statement leaves several operational questions open.
CISA would not say, according to TechCrunch, whether it has seen evidence of a breach stemming from the exposure. TechCrunch also asked whether the agency had revoked and replaced the exposed credentials; the published account does not include a clear answer.
The practical impact depends on three facts not yet fully disclosed:
- Validity: Which credentials were active when the repository was found?
- Scope: What systems could those credentials access, and at what privilege level?
- Exposure window: How long were the files public before the repository was taken offline?
Analysis: CISA’s “no indication” line is narrower than “no compromise.” It means the agency is not currently pointing to evidence that sensitive data was compromised. It does not, by itself, answer whether all credentials were abused, whether logs were complete, or whether access paths were fully closed.
Contractor controls now become CISA’s problem
The reports trace the repository to a contractor employee, but that does not move the accountability outside CISA’s perimeter. TechCrunch noted that CISA is ultimately responsible for the security of its own network and systems, including contractors working for the agency.
The timing compounds the issue. CISA has been without a permanent director since January 20, 2025, when then-director Jen Easterly stepped down ahead of the incoming Trump administration. TechCrunch also reported that CISA has lost about a third of its workforce following cuts, furloughs, and layoffs since Trump took office.
Those staffing facts do not explain the leak. They do, however, frame the response burden. Credential rotation, cloud audit review, contractor access review, and build-system integrity checks all require people with authority and system knowledge.
The next decision point is disclosure. CISA can close the immediate hole by rotating keys and tightening GitHub controls, but the credibility test is whether it says how long the credentials were exposed, which systems were reachable, and whether any valid keys were used outside expected activity.
Until those details are public, this remains an unresolved exposure rather than a confirmed breach. For an agency built to tell others how to avoid exactly this mistake, that distinction may not be enough.
Impact Analysis
- CISA is responsible for protecting critical infrastructure, making any credential exposure especially damaging to public trust.
- Cloud keys and access tokens can provide direct system access if they are still valid.
- The incident highlights the risk of contractors mishandling sensitive government security material in public code repositories.
