The federal agency that tells Americans how to secure their systems is now investigating how sensitive credentials tied to its own work ended up in public view.
A report from Krebs on Security says a contractor linked to the US Cybersecurity and Infrastructure Security Agency (CISA) left highly privileged, sensitive credentials in a public GitHub repository. While there is no indication that sensitive data was compromised, the exposure revealed sufficient data that, if in the wrong hands, could lead to one of the easiest breaches ever recorded.
The incident is notable because it involves the kind of credential exposure CISA routinely warns organizations to prevent. That makes the investigation a test of how quickly the agency and its partners can contain the risk, validate what was accessed, and tighten safeguards.
Inside a security researcher’s discovery
According to Krebs on Security, a security researcher, Guillaume Valadon, reached out after discovering the public repository and being unable to get the owner to respond.
Valadon’s company, GitGuardian, scans GitHub for accidentally exposed secrets. During one of those scans, Valadon stumbled upon what he calls “the worst leak that I’ve witnessed in my career.” Speaking to Krebs on Security, the researcher said he initially couldn’t believe what he had discovered until he took a deeper look at the repository.
The repository contained several files and credentials belonging to the Department of Homeland Security (DHS) and CISA. It contained plaintext passwords for internal infrastructure stored in .csv format, cloud keys, authentication tokens, logs, and other highly sensitive data that simply should not be out in the open.
The repository also contained Git backup files and files detailing how the agency builds, tests, and deploys its internal software.
While all the exposed data is extremely sensitive, a file titled “importantAWStokens” revealed credentials to three of its GovCloud servers. GovCloud isn’t just any AWS server; it is a specialized AWS environment designed for US government organizations.
CISA’s security practice comes into question
One may argue that the issue was with a simply reckless external contractor working with Nightwing. But it seemed to be more than a one-time lapse in judgment.
The repository was created on Nov. 13, 2025. Since then, several commits have been made to different files within it. In one of those commits, Valadon noticed that GitHub’s built-in feature that warns users when it detects a credential about to be exposed had been manually turned off.
That makes this look less like a random mistake and more like a careless security practice that allowed sensitive data to be stored in publicly available repositories. It was also observed from the plaintext passwords that many of CISA’s systems used easy-to-guess passwords. Many of the passwords, for instance, combined the platform’s name with the current year.
A third issue observed in the repository was that its admin appeared to be using GitHub to sync his work and personal laptops, according to Philippe Caturegli, founder of the security consultancy firm Seralys.
Caturegli, who also analyzed the exposed AWS keys to determine whether they were still valid, says the repository has “both a CISA-associated email address and a personal email address.”
In light of this, US Senator Maggie Hassan, representing New Hampshire, has requested an urgent classified briefing on the issue from Nick Andersen, CISA’s assistant director.
CISA’s response
After notifications from both Krebs on Security and Seralys, CISA promptly took the repository offline, preventing further access.
It has also announced it is investigating the matter, reassuring Americans that it is “working to ensure additional safeguards are implemented to prevent future occurrences.”
So far, it says that “there is no indication that any sensitive data was compromised as a result of this incident.”
Also read: DragonForce claims it stole 390GB from AdvancedHEALTH, including patient data and records tied to minors.
Read the full article here
