A Breach of Trust: CISA Contractor Exposes Critical Government Infrastructure on Public GitHub

In a security lapse that cybersecurity experts are characterizing as one of the most egregious data leaks in modern federal history, a public GitHub repository maintained by a contractor for the Cybersecurity and Infrastructure Security Agency (CISA) remained open to the world until this past weekend. The repository, aptly and alarmingly titled "Private-CISA," served as an unsecured vault containing highly privileged credentials for Amazon AWS GovCloud accounts, internal deployment logs, and plaintext passwords for critical federal systems.

The exposure highlights a catastrophic failure in operational security hygiene, raising profound questions about the oversight of government contractors and the internal security culture of an agency tasked with protecting the nation’s most sensitive digital infrastructure.

The Discovery: A Red Flag in the Code

The breach came to light on May 15, when Guillaume Valadon, a researcher at the security firm GitGuardian, stumbled upon the repository. GitGuardian specializes in the automated scanning of public code repositories to identify "secrets"—API keys, credentials, and tokens—that developers accidentally push to public platforms.

Valadon’s analysis of the repository was immediate and harrowing. "Passwords stored in plain text in a CSV, backups in Git, explicit commands to disable GitHub’s secrets detection feature," Valadon wrote in a correspondence. "I honestly believed that it was all fake before analyzing the content deeper. This is indeed the worst leak that I’ve ever witnessed in my career."

The repository was not merely a mistake of oversight; it was, according to the metadata, a deliberate bypass of security protocols. Commit logs show that the administrator actively disabled GitHub’s default protections that would have alerted the user to the presence of SSH keys and sensitive tokens.

Chronology of the Exposure

The timeline of the incident suggests a long-term, systemic failure rather than a momentary lapse in judgment:

• September 2018: The contractor’s GitHub account was created.
• November 13, 2025: The "Private-CISA" repository was established, beginning a period of routine synchronization between the contractor’s work environment and the public internet.
• May 15, 2026: GitGuardian researcher Guillaume Valadon identifies the repository and begins the process of notifying the relevant parties after failing to receive a response from the repository owner.
• Mid-May 2026: Philippe Caturegli, founder of the security consultancy Seralys, independently verifies the contents of the repository, confirming the validity of administrative AWS GovCloud keys and internal credentials.
• Late May 2026: Following notifications from KrebsOnSecurity and Seralys to CISA, the repository is taken offline.
• Post-Removal: Despite the deletion of the repository, investigators noted that the exposed AWS keys remained active for an additional 48 hours, leaving a window of vulnerability even after the initial leak was "plugged."

Anatomy of the Data: What Was Leaked?

The "Private-CISA" repository acted as a digital "scratchpad," likely used by the contractor to sync files across multiple devices, including home and office computers. This convenience, however, came at the cost of national security.

Exposed Assets

Among the most dangerous files uncovered were:

• "importantAWStokens": A file containing administrative credentials for three separate Amazon AWS GovCloud servers, which are designed to house highly sensitive government data.
• "AWS-Workspace-Firefox-Passwords.csv": A document containing plaintext usernames and passwords for dozens of internal CISA systems.
• DevSecOps Access: Credentials for "LZ-DSO" (Landing Zone DevSecOps), the agency’s secure environment for software development.
• Artifactory Credentials: Access to the agency’s "artifactory," a central repository for code packages.

Philippe Caturegli, who analyzed the repository’s contents, noted that the use of easily guessable passwords—often concatenating the name of a platform with the current year—compounded the risk. "Such practices would constitute a serious security threat for any organization," Caturegli remarked, noting that even if these credentials hadn’t been leaked publicly, their use internally would be considered a major vulnerability.

The Risk of Lateral Movement

The most alarming aspect of this leak is the potential for persistence. By gaining access to the agency’s "artifactory," a malicious actor could theoretically inject malicious code or "backdoors" into software packages that the agency builds and deploys.

"That would be a prime place to move laterally," Caturegli explained. "Backdoor in some software packages, and every time they build something new, they deploy your backdoor left and right." This type of supply-chain attack is precisely the kind of threat CISA is designed to defend against, making the irony of the breach particularly biting.

Official Responses and Accountability

CISA, in a statement provided to the media, confirmed they were aware of the incident and had launched an internal investigation.

"Currently, there is no indication that any sensitive data was compromised as a result of this incident," a CISA spokesperson stated. "While we hold our team members to the highest standards of integrity and operational awareness, we are working to ensure additional safeguards are implemented to prevent future occurrences."

The contractor involved is an employee of Nightwing, a Dulles, Virginia-based government contractor. When approached for comment, Nightwing declined to provide a statement, referring all inquiries back to CISA.

The silence from the contracting firm leaves many questions unanswered regarding the training and oversight provided to personnel handling sensitive government assets. Furthermore, the agency has yet to address why the AWS credentials remained active for 48 hours after the repository was reported and taken down, a delay that could have allowed an adversary to exfiltrate data or establish a foothold.

Broader Implications: A Strained Agency

The incident occurs against a backdrop of significant turmoil within CISA. The agency is currently grappling with a severe reduction in resources, having lost nearly one-third of its workforce since the onset of the second Trump administration. This "brain drain," caused by a combination of early retirements, buyouts, and resignations, has left the remaining staff under immense pressure to maintain operations with a fraction of the necessary budget.

Industry experts suggest that the incident is a microcosm of a larger problem: the reliance on third-party contractors who may not be held to the same rigorous security standards as federal employees, coupled with a lack of oversight capacity within the agency itself.

Conclusion: Lessons for the Future

The "Private-CISA" leak serves as a sobering reminder that in the realm of cybersecurity, the weakest link is almost always human error. The decision to disable automated security checks, combined with the lack of multi-factor authentication on sensitive credentials, allowed a single contractor to expose the inner workings of a critical federal agency to the entire world.

As CISA navigates its ongoing reorganization and workforce challenges, this breach will undoubtedly serve as a case study in the dangers of poor security hygiene. The agency now faces the monumental task of not only securing the compromised systems but also rebuilding trust in its ability to protect the digital infrastructure of the United States.

Moving forward, the incident raises a critical question for federal agencies: How can they ensure that their security culture—and the culture of their partners—is robust enough to withstand the convenience of modern cloud-based development, without sacrificing the security of the nation? The answer may require a fundamental shift in how government contractors are vetted, monitored, and held accountable for their digital footprints.