MLXIO
black flat screen computer monitor
CybersecurityMay 25, 2026· 6 min read· By MLXIO Insights Team

CISA Spilled Cloud Keys on GitHub — Then Said No Harm

Share

MLXIO Intelligence

Analysis Snapshot

57
Moderate
Confidence: LowTrend: 10Freshness: 96Source Trust: 85Factual Grounding: 92Signal Cluster: 20

Moderate MLXIO Impact based on trend velocity, freshness, source trust, and factual grounding.

Thesis

High Confidence

CISA-linked plaintext passwords, cloud keys, and access tokens were exposed in a public GitHub repository maintained by a contractor, creating a reputationally acute security failure for the U.S. agency responsible for federal cybersecurity.

Evidence

  • GitGuardian researcher Guillaume Valadon found exposed secrets in spreadsheets and other files in a public GitHub repository named "Private-CISA."
  • The exposed material reportedly included plaintext passwords, cloud keys, access tokens, administrative credentials for three AWS GovCloud servers, and credentials for internal CISA systems.
  • Krebs reported the repository was maintained by an employee of Nightwing, a government contractor; Nightwing declined comment and referred questions to CISA.
  • CISA says it is investigating and has "no indication" sensitive data was compromised.

Uncertainty

  • CISA has not publicly answered how long the repository was exposed.
  • It remains unknown whether any unauthorized party accessed or used the exposed credentials.
  • The article reports claims of valid keys, but CISA has not publicly detailed its validation or remediation findings.

What To Watch

  • CISA's investigation results and any confirmation of credential misuse or lack of compromise.
  • Whether CISA or Nightwing discloses the exposure duration and root cause.
  • Evidence of credential rotation, access revocation, or changes to contractor GitHub security controls.

Verified Claims

A GitGuardian researcher found CISA-linked passwords, cloud keys, and access tokens exposed in a public GitHub repository tied to a federal cybersecurity contractor.
📎 The article says Guillaume Valadon of GitGuardian found exposed secrets in files publicly accessible in a GitHub repository maintained by a CISA contractor employee.High
The public GitHub repository was reportedly named “Private-CISA.”
📎 The article cites KrebsOnSecurity reporting that the repository was named “Private-CISA.”High
The exposed material reportedly included plaintext passwords, cloud keys, access tokens, and administrative credentials for three AWS GovCloud servers.
📎 The article lists plaintext passwords, cloud keys, access tokens, and administrative credentials for three AWS GovCloud servers among the reported exposed material.High
CISA said it was investigating and had “no indication” that sensitive data was compromised.
📎 The article states that the agency says it is investigating and has “no indication” sensitive data was compromised.High
The GitHub account containing the repository was taken offline shortly after KrebsOnSecurity and Seralys notified CISA.
📎 The article says the GitHub account containing the repository was taken offline shortly after KrebsOnSecurity and Seralys notified CISA, according to Krebs.High

Frequently Asked

What did CISA reportedly expose on GitHub?

Reports cited in the article say CISA-linked plaintext passwords, cloud keys, access tokens, and administrative credentials were exposed in a public GitHub repository.

Who discovered the exposed CISA-linked credentials?

The article says Guillaume Valadon, a security researcher at GitGuardian, found the exposed secrets and escalated the warning on May 15.

What was the name of the GitHub repository with the exposed CISA-linked secrets?

According to KrebsOnSecurity as cited in the article, the public repository was named “Private-CISA.”

What did CISA say after the GitHub exposure was reported?

CISA said it was investigating and had “no indication” that sensitive data was compromised.

Which contractor was linked to the GitHub repository?

The article cites Krebs reporting that the repository was maintained by an employee of Nightwing, a government contractor based in Dulles, Virginia.

Updated on May 25, 2026

On May 15, a GitGuardian researcher escalated a warning that should never have existed: CISA-linked passwords, cloud keys, and access tokens were sitting in a public GitHub repository tied to a federal cybersecurity contractor.

The exposure was first reported by independent security journalist Brian Krebs and later covered by TechCrunch, which said the exposed material included credentials for systems belonging to CISA and its parent agency, the Department of Homeland Security. The agency says it is investigating and has “no indication” sensitive data was compromised.

May 15: GitGuardian flags a public repo called “Private-CISA”

Guillaume Valadon, a security researcher at GitGuardian, found the exposed secrets in spreadsheets and other files made publicly accessible in a GitHub repository maintained by an employee working for a CISA contractor, according to the reports.

The repository was named “Private-CISA”, according to KrebsOnSecurity. That name did not match its visibility.

The exposed material reportedly included:

Reported exposed material Why it matters
Plaintext passwords in spreadsheet files Passwords stored this way can be copied, searched, and reused without cracking.
Cloud keys and access tokens If valid, they can authenticate directly into cloud or internal systems.
Administrative credentials for three AWS GovCloud servers Krebs reported that Philippe Caturegli validated access at a high privilege level.
Credentials for internal CISA systems, including LZ-DSO Krebs reported this appears to refer to “Landing Zone DevSecOps,” CISA’s secure code development environment.
Credentials to CISA’s internal artifactory Krebs described it as a repository of code packages used to build software.

Valadon told Krebs he tested some keys to confirm they were valid. He said he contacted Krebs because the contractor maintaining the GitHub environment did not respond to alerts.

“Passwords stored in plain text in a csv, backups in git, explicit commands to disable GitHub secrets detection feature,” Valadon wrote, according to Krebs. “I honestly believed that it was all fake before analyzing the content deeper. This is indeed the worst leak that I’ve witnessed in my career. It is obviously an individual’s mistake, but I believe that it might reveal internal practices.”

That last sentence is the uncomfortable part for CISA. This was not an obscure agency with weak cyber expectations. CISA is the U.S. government agency responsible for cybersecurity across the civilian federal network and routinely advises organizations on basic security hygiene, including keeping passwords in secured password managers rather than loose spreadsheets.


After missed alerts, the GitHub repo was taken offline

The repository was maintained by an employee of Nightwing, a government contractor based in Dulles, Virginia, according to Krebs. Nightwing declined to comment to Krebs and directed questions to CISA.

The account history adds another question. Krebs reported that the Private-CISA repository was created on November 13, 2025, while the contractor’s GitHub account dated back to September 2018. CISA has not responded publicly, in the supplied reports, to questions about the full duration of the exposure.

The GitHub account containing the repository was taken offline shortly after KrebsOnSecurity and Seralys notified CISA, according to Krebs. But Philippe Caturegli, founder of Seralys, told Krebs that the exposed AWS keys remained valid for another 48 hours.

Caturegli’s assessment focused on what an attacker could do if the keys were abused, not just whether the files looked embarrassing.

“That would be a prime place to move laterally,” he told Krebs, referring to CISA’s internal artifactory. “Backdoor in some software packages, and every time they build something new they deploy your backdoor left and right.”

That is the central risk. A leaked credential is not just a leaked password if it reaches build systems, cloud accounts, or internal package repositories. It can become a route into the software production chain.

Related MLXIO coverage includes Leaked AWS GovCloud Keys Drag CISA Into Congress Fight and Microsoft Defender Zero-Days Hand Hackers SYSTEM Keys, both useful context for readers tracking privileged-access failures and public-sector security fallout.

CISA says it is investigating, but key answers are missing

CISA spokesperson Marco DiSandro told TechCrunch the agency is “aware of the reported exposure and is continuing to investigate the situation.” He added that there is “no indication that any sensitive data was compromised as a result of this incident.”

Krebs published a similar CISA statement:

“Currently, there is no indication that any sensitive data was compromised as a result of this incident,” the CISA spokesperson wrote. “While we hold our team members to the highest standards of integrity and operational awareness, we are working to ensure additional safeguards are implemented to prevent future occurrences.”

That statement leaves several operational questions open.

CISA would not say, according to TechCrunch, whether it has seen evidence of a breach stemming from the exposure. TechCrunch also asked whether the agency had revoked and replaced the exposed credentials; the published account does not include a clear answer.

The practical impact depends on three facts not yet fully disclosed:

  • Validity: Which credentials were active when the repository was found?
  • Scope: What systems could those credentials access, and at what privilege level?
  • Exposure window: How long were the files public before the repository was taken offline?

Analysis: CISA’s “no indication” line is narrower than “no compromise.” It means the agency is not currently pointing to evidence that sensitive data was compromised. It does not, by itself, answer whether all credentials were abused, whether logs were complete, or whether access paths were fully closed.


Contractor controls now become CISA’s problem

The reports trace the repository to a contractor employee, but that does not move the accountability outside CISA’s perimeter. TechCrunch noted that CISA is ultimately responsible for the security of its own network and systems, including contractors working for the agency.

The timing compounds the issue. CISA has been without a permanent director since January 20, 2025, when then-director Jen Easterly stepped down ahead of the incoming Trump administration. TechCrunch also reported that CISA has lost about a third of its workforce following cuts, furloughs, and layoffs since Trump took office.

Those staffing facts do not explain the leak. They do, however, frame the response burden. Credential rotation, cloud audit review, contractor access review, and build-system integrity checks all require people with authority and system knowledge.

The next decision point is disclosure. CISA can close the immediate hole by rotating keys and tightening GitHub controls, but the credibility test is whether it says how long the credentials were exposed, which systems were reachable, and whether any valid keys were used outside expected activity.

Until those details are public, this remains an unresolved exposure rather than a confirmed breach. For an agency built to tell others how to avoid exactly this mistake, that distinction may not be enough.

Impact Analysis

  • CISA is responsible for protecting critical infrastructure, making any credential exposure especially damaging to public trust.
  • Cloud keys and access tokens can provide direct system access if they are still valid.
  • The incident highlights the risk of contractors mishandling sensitive government security material in public code repositories.

Reported Exposed CISA-Linked Secrets

Exposed materialWhy it matters
Plaintext passwords in spreadsheetsCould be copied, searched, and reused without cracking.
Cloud keys and access tokensCould authenticate directly into cloud or internal systems if valid.
Administrative credentials for three AWS GovCloud serversReportedly validated at a high privilege level.
Credentials for internal CISA systems including LZ-DSOMay relate to CISA’s secure code development environment.
Credentials to CISA’s internal artifactoryCould expose software build or package-management systems.
MLXIO

Written by

MLXIO Insights Team

Algorithmic Research & Human Oversight

Powered by advanced algorithmic research and perfected by human oversight. The Insights Team delivers highly structured, cross-verified analysis on emerging tech trends and digital shifts, filtering out the fluff to give you high-fidelity value.

Related Articles

people walking on sidewalk near white concrete building during night time
CybersecurityMay 22, 2026

Leaked AWS GovCloud Keys Drag CISA Into Congress Fight

CISA faces congressional scrutiny after a contractor exposed agency credentials and AWS GovCloud keys on GitHub.

7 min read

a blue and white logo
CybersecurityMay 12, 2026

Cloud DevOps Security Risks Spike in 2026 — Are You Ready?

Security threats in cloud DevOps platforms escalate in 2026, demanding urgent action to protect code, secrets, and infrastructure from sophisticated attacks.

11 min read

a rack of electronic equipment in a dark room
CybersecurityMay 28, 2026

300 Poisoned GitHub Repos Expose Glassworm Botnet Threat

Glassworm poisoned 300+ GitHub repos before CrowdStrike and Google cut its command channels, but developer supply chains may still be exposed.

6 min read

woman holding cardboard box with do we look like bots ? text
CybersecurityMay 27, 2026

AI Hatred Sparks New Threat Label: Anti-Tech Extremism

US agencies are recasting violent AI backlash as anti-tech extremism, raising hard questions about protest, labor anger, and surveillance.

8 min read

Matrix movie still
CybersecurityMay 26, 2026

34 TrapDoor Packages Poison AI Coding Tools to Steal Keys

TrapDoor pushed 34 malicious packages across npm, PyPI and Crates.io to steal credentials and poison AI coding workflows.

6 min read

cable network
TradingJul 9, 2026

Third Trump Plug Sends Dell Stock on a 9% AI Server Tear

Dell stock jumped up to 9% after Trump’s latest plug landed on top of booming AI server demand—and raised ethics questions.

8 min read

grayscale photo of hanging heart shaped pendant lamp
TechnologyJul 8, 2026

US-Blocked CXMT RAM Lands in Apple's China Device Test

Apple’s CXMT test turns China-bound memory sourcing into a Washington risk problem.

12 min read

a close up of the wifi logo on the side of a bus
TechnologyJul 7, 2026

FCC Could Let Broadband Labels Hide Fees Behind 'Up To'

FCC rules could let ISPs bundle passthrough fees into an “up to” line, making broadband prices harder to compare.

9 min read

red xbox one game controller
TechnologyJul 9, 2026

8 New Xbox Game Pass Games Hit Before July 21 — See List

Xbox Game Pass gets eight new July 2026 games, while two more titles expand to Premium across cloud, console, PC and handheld.

6 min read

Vintage blue police car with chrome details
CybersecurityJul 9, 2026

5 Cops Arrested After Flock Safety Logs Expose Stalking

Flock Safety audits exposed alleged LPR misuse by Georgia officers, raising a bigger question: how much insider tracking goes undetected?

7 min read

Stay ahead of the curve

Get a weekly digest of the most important tech, AI, and finance news — curated by AI, reviewed by humans.

No spam. Unsubscribe anytime.