TL;DR:
- What happened: A contractor working for CISA (the federal agency responsible for America’s cybersecurity) maintained a public GitHub repository called “Private-CISA” containing 844 MB of plaintext AWS GovCloud keys, internal passwords, SSH keys, deploy secrets, and agency documentation. It was public for six months. [1][2]
- Who found it: Guillaume Valadon, a researcher at GitGuardian, discovered the exposure and called it “the worst leak that I’ve witnessed in my career.” CISA took the repo offline 26 hours after being notified, on May 15, 2026. [1][2]
- What was at risk: Administrative credentials to three AWS GovCloud accounts, plaintext passwords for dozens of internal CISA systems including the “Landing Zone DevSecOps” secure development environment, Kubernetes configs, and access tokens. [1][2]
- The contractor: An employee of Nightwing, a government contractor based in Dulles, Virginia, was using the public repo to sync work files to a personal computer. They had disabled GitHub’s default setting that blocks users from publishing secrets. [1][2]
- Congressional response: Three lawmakers (Rep. Bennie Thompson, Rep. Delia Ramirez, and Sen. Maggie Hassan) sent letters to CISA’s acting director demanding briefings on how the breach occurred. [3]
A Public Repo Called “Private-CISA”
That’s not a joke. The repository was literally named “Private-CISA.” It was public.
From November 13, 2025 to May 15, 2026, a Nightwing contractor used this GitHub repository as a file-transfer method, syncing work materials between a work laptop and a home computer. Regular commits over six months. 844 megabytes of data. All of it visible to anyone with a browser. [1][2]
The contractor had gone out of their way to disable GitHub’s default secret-scanning protection: the built-in feature that warns you when you’re about to publish credentials to a public repository. They turned it off. Then they uploaded AWS keys, plaintext passwords, and SSH credentials to a repo with “CISA” in the name. [1][2]
Guillaume Valadon at GitGuardian discovered the exposure and tried to alert the account owner directly. No response. He escalated to CISA. Twenty-six hours later, the repo came down. [1][2]
But here’s the part that should keep security teams awake: the exposed AWS keys remained valid for another 48 hours after the repository was taken offline. Two full days where anyone who’d copied those credentials still had working access to government cloud infrastructure. [1][2]
What Was Actually in There
The filenames alone tell the story. A file called “importantAWStokens” contained administrative credentials for three AWS GovCloud servers. Another file, “AWS-Workspace-Firefox-Passwords.csv”, listed plaintext usernames and passwords for dozens of internal CISA systems. [1][2]
The full inventory, according to reporting from Gizmodo, TechCrunch, and other outlets:
- Administrative credentials to three AWS GovCloud accounts
- Plaintext passwords for internal CISA systems, including the “Landing Zone DevSecOps” secure code development environment
- GitHub tokens and deploy secrets
- SSH keys
- Kubernetes configuration files
- Access tokens for CISA’s internal software build repository (Artifactory)
- Internal CISA and DHS documentation
Valadon tested some of the keys to verify they were valid. They were. [1][4]
With those credentials, an attacker could have accessed government cloud infrastructure, CISA’s development pipelines, internal agency systems, and potentially pivoted deeper into DHS networks. This wasn’t a theoretical risk. These were working keys to working doors.
The Nightwing Problem
Nightwing is a government contractor based in Dulles, Virginia. They provide IT and cybersecurity services to federal agencies, including the agency that’s supposed to set the standard for everyone else’s cybersecurity.
This is the contractor and third-party vendor access problem in a single incident. A single contractor employee, working from home, decided GitHub was a convenient file-transfer method. No one at Nightwing noticed. No one at CISA noticed. For six months.
The federal government runs on contractors. They get deep access to sensitive systems, sometimes administrative access, with oversight that ranges from minimal to nonexistent. The security clearance process checks whether you’re a foreign intelligence risk. It doesn’t check whether you know not to put AWS keys in a public GitHub repo.
This isn’t a new problem. It’s the same structural weakness that’s been behind some of the worst security incidents in government history. Edward Snowden was a contractor. Reality Winner was a contractor. The OPM breach that exposed 22 million personnel records in 2015 was enabled by contractor access. Now a Nightwing contractor has demonstrated that the cybersecurity agency itself can’t control what its contractors do with administrative credentials.
The Agency That Writes the Rules
CISA publishes the Binding Operational Directives that every federal agency must follow. They run the Known Exploited Vulnerabilities catalog. They issue guidance on credential management, secret scanning, and secure development practices. They literally tell everyone else how to do cybersecurity.
Their contractor put plaintext passwords in a CSV file on GitHub.
CISA’s official response: “Currently, there is no indication that any sensitive data was compromised as a result of this incident.” They added that they would implement “additional safeguards to prevent future occurrences.” [2][4]
That statement deserves scrutiny. “No indication” that data was compromised doesn’t mean no one accessed it. It means they haven’t found evidence yet. The repo was public for six months. GitHub repos get crawled by automated scanners constantly. Tools like TruffleHog and GitGuardian’s own platform exist specifically to find exposed credentials. The odds that no automated scanner found those keys in 180 days are not reassuring.
Congress Wants Answers
Three lawmakers sent letters to CISA’s acting director Nick Andersen on May 19, 2026, demanding staff-level briefings. [3]
Rep. Bennie Thompson (D-Miss.) and Rep. Delia Ramirez, the top Democrats on the House Homeland Security Committee and its cyber subcommittee, asked for information on “how this serious security lapse occurred, any potential security consequences, remediation activities, corrective actions related to the contractor personnel involved, and efforts to monitor for and prevent similar activity from occurring in the future.” [3]
Sen. Maggie Hassan (D-N.H.) went further, requesting a classified briefing addressing which systems were exposed, forensic evaluations of potential damage, and corrective actions taken. [3]
Hassan nailed the core problem: “This reported incident raises serious questions about how such a security lapse could occur at the very agency charged with helping to prevent cyber breaches.” [3]
Both letters pointed to personnel and budget cutbacks at CISA as a potential contributor. The agency has been under sustained funding pressure, and fewer people watching means more things slip through. A contractor using GitHub as a file transfer service for six months without anyone noticing is what understaffing looks like in practice.
What This Actually Means
Three things:
First, contractor security is broken. Not theoretically. Not in edge cases. A contractor for the nation’s top cybersecurity agency uploaded admin credentials to a public repo, disabled the safety features designed to prevent exactly that, and did it for six months without detection. If CISA can’t secure its own contractor pipeline, no federal agency can.
Second, “it wasn’t compromised” isn’t the right metric. The question isn’t whether an attacker used the credentials. The question is whether the systems those credentials accessed have been audited, the keys rotated, the access logs reviewed, and the blast radius mapped. CISA’s statement doesn’t address any of that.
Third, this is a credibility problem. CISA tells hospitals, water utilities, power companies, and every federal agency how to handle credentials. They mandate specific practices through Binding Operational Directives. When the agency that writes those mandates can’t follow them, every organization on the receiving end has a legitimate reason to ask: why should we?
What Organizations Should Do Right Now
- Audit your own repos. Run TruffleHog or GitGuardian against every public repository your organization maintains. Today. It takes minutes.
- Never disable secret scanning. GitHub’s push protection exists for a reason. Make it a policy violation to turn it off.
- Audit contractor access. Know exactly what credentials your contractors have, what systems they access, and what devices they use. Review it quarterly at minimum.
- Rotate credentials proactively. Don’t wait for a breach to rotate keys. Automated rotation should be standard for any cloud infrastructure credential.
- Monitor for credential exposure. Services like GitGuardian, GitHub Advanced Security, and AWS Macie can alert you when credentials appear where they shouldn’t. CISA’s contractor didn’t respond to automated alerts. Someone at your organization should.
Related: No Director. No Budget. Chinese Hackers Inside the Firewalls. | America’s Cyber Defense Agency Just Lost 62% of Its Staff
Sources
- Gizmodo: ‘The Worst Leak That I’ve Witnessed’: CISA Leaves Digital Keys on GitHub (May 2026)
- TechCrunch: CISA Exposed Passwords and Cloud Keys to the Open Web (May 2026)
- CyberScoop: CISA Credential Leak: Congress Demands Answers (May 2026)
- CSO Online: Contractor’s Public GitHub Account Exposed GovCloud and CISA Credentials (May 2026)