CISA Contractor Exposes GovCloud Credentials on Public GitHub Repository
A contractor for the U.S. Cybersecurity and Infrastructure Security Agency (CISA) created a public GitHub repository named 'Private-CISA' in November 2025, exposing plain-text credentials for AWS GovCloud accounts and internal systems. Discovered on May 14 by GitGuardian, the 844 MB leak included Kubernetes files, passwords, and deployment details. Congress demanded briefings, citing workforce cuts and security culture failures. CISA confirmed the investigation but found no evidence of compromise, though some keys remained active days after notification.
Cross-source coverage
Wire timeline
Lawmakers Demand Answers as CISA Struggles to Contain Data Leak of AWS GovCloud Keys
Lawmakers in both houses of Congress are demanding answers from the U.S. Cybersecurity & Infrastructure Security Agency (CISA) after a contractor intentionally published AWS GovCloud keys and other agency secrets on a public GitHub account named 'Private-CISA'. The breach, first reported by KrebsOnSecurity, involved plaintext credentials to dozens of internal systems. CISA acknowledged the leak but has not disclosed its duration, though experts found the repository was created in November 2025. Senator Maggie Hassan and Representative Bennie Thompson sent letters expressing concern about CISA's security culture, especially after the agency lost over a third of its workforce under the Trump administration. Security firm GitGuardian notified CISA over a week ago, but the agency is still working to invalidate exposed keys. Dylan Ayrey, creator of TruffleHog, found that an RSA private key granting full access to CISA-IT GitHub repositories remained active two days after notification.
Krebs on SecurityCISA Contractor Leaks AWS GovCloud Credentials on Public GitHub Repository
A contractor for the U.S. Cybersecurity and Infrastructure Security Agency (CISA) maintained a public GitHub repository until the past weekend that exposed credentials to several highly privileged AWS GovCloud accounts and numerous internal CISA systems. Security experts described the leak as one of the most egregious government data breaches in recent history, as the public archive included detailed files on how CISA builds, tests, and deploys software internally. The incident was first reported by KrebsOnSecurity and covered by Gizmodo, highlighting significant security failures within the agency responsible for protecting U.S. critical infrastructure.
Schneier on SecurityReported exposure of federal cybersecurity agency login data prompts Hill scrutiny
Top Democratic lawmakers on the House Homeland Security Committee have requested a briefing from the Cybersecurity and Infrastructure Security Agency (CISA) after reports that a contractor-linked GitHub repository briefly exposed authentication credentials and cloud access information tied to the agency. Independent journalist Brian Krebs reported that researchers identified a publicly accessible repository connected to government contractor Nightwing that allegedly exposed sensitive access information for systems used by CISA and the Department of Homeland Security. The repository, labeled 'Private CISA,' included AWS GovCloud information and other sensitive data before being taken offline. Reps. Bennie Thompson and Delia Ramirez expressed concern that recent workforce cuts at CISA may have contributed to the security lapse. CISA declined to comment on the congressional correspondence but said it responds to members directly. Sen. Maggie Hassan also sent a separate letter seeking a briefing.
Government Executive - All ContentReported exposure of federal cybersecurity agency login data prompts Hill scrutiny
Top Democratic lawmakers on the House Homeland Security Committee have requested a briefing from CISA acting Director Nick Andersen after a contractor-linked GitHub repository briefly exposed sensitive authentication credentials and cloud access information tied to the agency. Independent journalist Brian Krebs reported that researchers identified a publicly accessible GitHub repository connected to government contractor Nightwing that allegedly exposed a broad collection of sensitive access information tied to systems used by CISA and DHS. The repository, labeled 'Private CISA,' included authentication credentials, AWS GovCloud information, and other sensitive data before being taken offline. Reps. Bennie Thompson and Delia Ramirez expressed concern that significant workforce cuts at CISA may have contributed to the incident, which they described as undermining the agency's credibility. Sen. Maggie Hassan also sent a separate letter requesting a briefing.
Government Executive - All ContentReported exposure of federal cybersecurity agency login data prompts Hill scrutiny
Top Democratic lawmakers on the House Homeland Security Committee have requested an urgent briefing from CISA acting Director Nick Andersen after a contractor-linked GitHub repository allegedly exposed sensitive authentication credentials and AWS GovCloud access information tied to CISA and DHS systems. The repository, labeled 'Private CISA,' was taken offline after security researchers identified it. Independent journalist Brian Krebs reported the leak, which researchers described as 'one of the most egregious government data leaks in recent history.' Reps. Bennie Thompson and Delia Ramirez expressed concern that recent significant workforce cuts at CISA may have contributed to the security lapse, undermining the agency's credibility. Sen. Maggie Hassan also sent a separate letter requesting a briefing. CISA declined to comment on congressional correspondence but said it responds to members directly.
Government Executive - All ContentReported exposure of federal cybersecurity agency login data prompts Hill scrutiny
Top Democratic lawmakers on the House Homeland Security Committee have requested a briefing from CISA acting Director Nick Andersen after a contractor-linked GitHub repository briefly exposed sensitive authentication credentials and cloud access information tied to the agency. The repository, labeled 'Private CISA,' was reportedly linked to government contractor Nightwing and contained AWS GovCloud data and internal software deployment details. Security researchers described it as one of the most egregious government data leaks in recent history. Lawmakers expressed concern that recent significant workforce cuts at CISA may have contributed to the security lapse and undermined the agency's credibility. CISA declined to comment on the congressional correspondence but said it responds to members directly. Senator Maggie Hassan also sent a separate letter requesting a briefing.
Government Executive - All ContentCISA Credential Leak on GitHub Sparks Congressional Alarm
A significant security breach involving the Cybersecurity and Infrastructure Security Agency (CISA) has prompted urgent demands from Congress. Security firm GitGuardian discovered a public GitHub repository, named 'Private-CISA' and maintained by a contractor (Nightwing), that exposed privileged credentials for AWS GovCloud accounts and internal CISA systems dating back to November. The researcher who found the leak called it one of the worst he has ever witnessed, fearing state actors could gain persistence in government systems. House Homeland Security Committee leaders Rep. Bennie Thompson and Rep. Delia Ramirez, as well as Sen. Maggie Hassan, have sent letters demanding briefings on how the lapse occurred, potential consequences, remediation, and corrective actions. CISA stated it is investigating and currently sees no evidence of data compromise, while security experts highlight the common but dangerous risk of credential exposure via misconfigured repositories.
CyberScoopCISA Contractor Exposed GovCloud and Internal Credentials on Public GitHub Repository
A publicly accessible GitHub repository, named 'Private-CISA' and active since November 13, 2025, exposed credentials for US government AWS accounts and internal CISA systems. The leak was discovered on May 14 by GitGuardian researcher Guillaume Valadon, who reported it to CERT/CC and CISA. The repository, containing 844 MB of data including Kubernetes files, plain-text passwords, AWS tokens, and internal documents, was taken offline within a day. Valadon believes a CISA contractor created the repository on a personal GitHub account, storing secrets in plain text. CISA confirmed the investigation and stated there is no indication of data compromise. The repository was never forked, limiting the blast radius.
To pay, or not to pay: 58% of CISOs say they would pay the ransom for their data | CSO OnlineCISA Exposes Secrets and Credentials in Public GitHub Repository Named 'Private-CISA'
On May 14, 2026, GitGuardian researcher Guillaume Valadon discovered a public GitHub repository belonging to the U.S. Cybersecurity and Infrastructure Security Agency (CISA) that contained 844MB of sensitive data, including plain-text passwords, authentication tokens, private keys, and AWS credentials. The repository, ironically named 'Private-CISA,' had been publicly accessible since November 13, 2025. The exposed material included CI/CD build logs, Kubernetes manifests, GitHub Actions workflows, and detailed cloud infrastructure information. CISA took the repository down within 24 hours after being alerted, with assistance from journalist Brian Krebs. It remains unclear if threat actors accessed the data during the six months it was exposed, though researchers note attackers typically exploit such leaks within minutes. The incident highlights ongoing risks of secret sprawl and unsafe practices like disabling GitHub's secret scanning.
darkreading