A Breach of Trust: CISA Contractor Exposes Critical Infrastructure Credentials on Public GitHub

a-breach-of-trust-cisa-contractor-exposes-critical-infrastructure-credentials-on-public-github

In an incident described by security experts as one of the most significant data leaks in recent U.S. government history, a contractor for the Cybersecurity and Infrastructure Security Agency (CISA) inadvertently exposed a treasure trove of highly privileged credentials to the public internet. The leak, which resided on a public GitHub repository titled "Private-CISA," included administrative keys for AWS GovCloud accounts, plaintext passwords for dozens of internal agency systems, and detailed documentation on how the nation’s lead cybersecurity agency develops and deploys its software.

The exposure, which remained active for months, highlights a catastrophic breakdown in security hygiene and raises urgent questions about the oversight of private-sector contractors handling sensitive federal infrastructure data.

The Discovery: A Red Flag in the Code

The alarm was first raised on May 15, when Guillaume Valadon, a researcher at the security firm GitGuardian, stumbled upon the repository. GitGuardian maintains automated systems that continuously scan public code repositories for exposed secrets—hardcoded API keys, passwords, and cryptographic tokens.

Valadon’s discovery was not merely a minor oversight; it was a comprehensive dump of internal agency operations. Upon analyzing the "Private-CISA" repository, Valadon was struck by the audacity of the security failures present. Not only were credentials stored in plaintext, but the repository’s commit logs revealed that the administrator had explicitly disabled GitHub’s "secret scanning" features—a built-in safeguard designed to block the accidental publishing of sensitive keys.

"Passwords stored in plain text in a CSV, backups in Git, explicit commands to disable GitHub secrets detection feature," Valadon wrote in an email following his discovery. "I honestly believed that it was all fake before analyzing the content deeper. This is indeed the worst leak that I’ve witnessed in my career. It is obviously an individual’s mistake, but I believe that it might reveal internal practices."

Chronology of the Exposure

The timeline of the leak suggests a long-standing vulnerability that went undetected by internal agency monitoring systems:

  • September 2018: The contractor’s personal GitHub account is created.
  • November 13, 2025: The "Private-CISA" repository is initialized. Evidence suggests the contractor utilized this public repository as a synchronization tool to move files between a secure work environment and a personal home computer.
  • November 2025 – May 2026: For six months, the repository acts as an open door, with the contractor committing files regularly.
  • May 15, 2026: GitGuardian researchers identify the breach. Following a failure to receive a response from the repository owner, they escalate the matter.
  • Late May 2026: Following notifications to CISA from KrebsOnSecurity and security consultant Philippe Caturegli, the repository is taken offline.
  • 48 Hours Post-Deletion: Even after the repository was removed from public view, independent researchers confirmed that several AWS GovCloud keys remained active and valid, presenting an ongoing window of vulnerability for malicious actors.

Technical Analysis: Anatomy of a Security Nightmare

The contents of the repository read like a blueprint for a nation-state actor looking to compromise federal systems. Philippe Caturegli, founder of the security consultancy Seralys, conducted an independent audit of the exposed files to assess the extent of the damage.

The "Landing Zone" Exposure

Among the most alarming findings was a file titled "AWS-Workspace-Firefox-Passwords.csv." This document contained plaintext usernames and passwords for a variety of internal systems, including "LZ-DSO"—a reference to the "Landing Zone DevSecOps" environment. This environment serves as the backbone for CISA’s secure code development. By accessing these credentials, an attacker could potentially gain unauthorized entry into the very software supply chain that CISA uses to defend the nation’s critical infrastructure.

Lateral Movement Potential

Caturegli’s analysis focused on the "artifactory"—a central repository of software packages used to build and deploy agency applications. He warned that if an attacker were to gain access to this, they could inject malicious code or backdoors into the software packages CISA distributes. "That would be a prime place to move laterally," Caturegli noted. "Backdoor in some software packages, and every time they build something new, they deploy your backdoor left and right."

CISA Admin Leaked AWS GovCloud Keys on Github

Poor Password Hygiene

Beyond the exposure itself, the quality of the credentials was startling. The repository revealed a pattern of "lazy" password management, where many credentials were constructed using the platform name followed by the current year (e.g., [SystemName]2025). This practice violates basic cybersecurity protocols mandated by federal agencies and renders the credentials trivial to guess or crack once initial access is gained.

Official Agency Response and Contractor Silence

The contractor responsible for the repository is an employee of Nightwing, a Dulles, Virginia-based government contractor. When approached for comment, Nightwing declined to provide a statement, referring all inquiries to CISA.

CISA’s public response has been characteristically cautious, emphasizing that there is currently no evidence of exploitation. "Currently, there is no indication that any sensitive data was compromised as a result of this incident," a CISA spokesperson stated. "While we hold our team members to the highest standards of integrity and operational awareness, we are working to ensure additional safeguards are implemented to prevent future occurrences."

However, the agency’s silence regarding the duration of the exposure and the delay in rotating the AWS keys after the repository was taken down has drawn criticism from the cybersecurity community. The fact that the keys remained valid for 48 hours after the breach was acknowledged suggests a potential lapse in the agency’s incident response and credential revocation procedures.

Implications: The High Cost of Resource Depletion

This incident occurs against a backdrop of severe organizational instability at CISA. Following the inauguration of the second Trump administration, the agency has undergone a dramatic reduction in force. Reports indicate that CISA has lost nearly one-third of its workforce due to budget cuts, buyouts, and a wave of resignations.

Experts argue that this "brain drain" and the resulting operational stress have left the agency vulnerable to the very types of errors that led to this breach. When senior staff leave and the remaining personnel are spread thin, security oversight—such as checking for "shadow IT" or monitoring contractor compliance—inevitably suffers.

Conclusion: A Wake-Up Call

The "Private-CISA" incident is a sobering reminder that even the most well-defended agencies are only as strong as their weakest link. In this case, the link was a contractor utilizing public infrastructure to manage sensitive government work, effectively circumventing the secure, air-gapped systems intended to protect federal data.

For CISA, the path forward requires a rigorous audit of all contractor environments and a renewed focus on "security-first" culture. For the broader federal government, this breach serves as a stark warning: as the reliance on private contractors increases, so does the risk of high-level exposure. The incident underscores that while firewalls and encryption are essential, the most dangerous vulnerability remains the human element—the individual who, for the sake of convenience, turns a public code repository into a vault for the nation’s most sensitive secrets.