The agency responsible for protecting U.S. government systems from cyberattacks has been found to have left its own keys publicly accessible, raising questions about its own security practices.
According to a report from KrebsOnSecurity, a cybersecurity blog, a contractor for CISA (Cybersecurity and Infrastructure Security Agency) posted sensitive credentials to a public GitHub repository and left them exposed for months. Guillaume Valadon, a researcher at the security firm GitGuardian, later spotted the leak.
His company scans public code repositories for exposed secrets. According to Valadon, he had reached out to the owner of these public code repositories, but no one responded to his alerts, which eventually led him to reach out to KrebsOnSecurity.
What Was Exposed In The Leak?
The repository, named "Private-CISA," contained shocking information regarding CISA, such as AWS GovCloud admin credentials, plaintext passwords, logs, and internal system details. One file was titled "importantAWStokens." Another was a CSV file listing usernames and passwords for dozens of internal CISA systems. This wasn't hidden in an obscure folder or a secure folder; it was just there for anyone to find.
Speaking about the leak, Valadon said, "Passwords stored in plain text in a CSV, backups in git, explicit commands to disable GitHub secrets detection feature. I honestly believed that it was all fake before analyzing the content deeper. This is indeed the worst leak that I've witnessed in my career."
The contractor was apparently using GitHub to sync files between a work laptop and a home computer, with regular commits since November 2025. They also disabled GitHub's default setting that blocks users from publishing secrets in public code repos.
Philippe Caturegli, founder of security firm Seralys, tested the AWS keys, and they still worked. He also found they had high-level access to three AWS GovCloud accounts.
"That would be a prime place to move laterally. Backdoor in some software packages, and every time they build something new, they deploy your backdoor left and right," he said.
The Official Response of CISA
In response to the incident, a CISA spokesperson said, "Currently, there is no indication that any sensitive data was compromised as a result of this incident. While we hold our team members to the highest standards of integrity and operational awareness, we are working to ensure additional safeguards are implemented."
The repository was created on November 13, 2025. That's about six months of exposure. After KrebsOnSecurity and Seralys notified CISA, the repo was taken down. However, the exposed AWS keys stayed valid for another 48 hours.
The employee behind the leak worked for Nightwing, a government contractor based in Dulles, Virginia. Nightwing has yet to issue a public statement on the incident.
This leak comes at a bad time for CISA. The agency has lost nearly a third of its workforce since the beginning of the second Trump administration, due to early retirements, buyouts, and resignations.
The agency that tells everyone else how to be secure couldn't secure itself. A contractor used easily guessable passwords—like the platform name followed by the current year and nobody noticed for six months.
"This would be an embarrassing leak for any company," said Philippe Caturegli of Seralys. "But it's even more so in this case because it's CISA."
Although a leak of this nature has never happened before, CISA has suffered similar incidents in the past, like earlier this year when acting director Madhu Gottumukkala uploaded sensitive documents to the public version of ChatGPT, which exposed the agency to the potential risk of that information leaking.
Ogbonda Chivumnovu
