CISA credentials exposed in public GitHub repository

Security researcher Brian Krebs has reported that the Cybersecurity & Infrastructure Security Agency (CISA) inadvertently exposed a significant trove of sensitive data, including plaintext passwords, SSH private keys, tokens, and other sensitive CISA assets in a public GitHub repository. The data had been accessible since at least November 2025.

The now-removed repository, ironically named “Private-CISA,” was flagged to Krebs by GitGuardian’s Guillaume Valadon, who discovered it during routine scans of public code. Valadon told Krebs he reached out to the repo’s owner but received no response before going public.

In correspondence with Krebs, Valadon noted that the commit logs indicated the repository’s administrator had deliberately disabled GitHub’s default safeguards against committing secrets. Those protections are designed to prevent precisely this kind of oversight by less experienced or unwary developers.

Philippe Caturegli, founder of Seralys, tested the credentials and confirmed they were not a prank. He told Krebs he used them to access multiple Amazon Web Services GovCloud accounts at a high privilege level.

Krebs reports that the repository appeared to be managed by Nightwing, a Virginia-based CISA contractor. Nightwing has not commented publicly and referred all questions back to CISA.

This is not CISA’s first security misstep this year. In January, acting CISA Director Madhu Gottumukkala uploaded sensitive government documents to ChatGPT after requesting and receiving an exemption from the agency’s ban on using the tool. Gottumukkala, who had failed a polygraph test, was removed from his role in February.