Security researcher Brian Krebs brings us the news that America’s Cybersecurity & Infrastructure Agency (CISA) has had a big store of plaintext passwords, SSH private keys, tokens, and “other sensitive CISA assets” exposed in a public GitHub repo since a minimum of November 2025.
The now-offline public repo—named, somewhat aspirationally, “Private-CISA”—was dropped at Krebs’ attention by GitGuardian’s Guillaume Valadon, who was alerted to the repo’s presence by GitGuardian’s public code scans. Krebs says that Valadon approached him after receiving no responses from the Private-CISA repo’s owner.
In an email to Krebs, Valadon claimed that the repo’s commit logs show that GitHub’s default protections against committing secrets—protections designed to guard unwitting or unskilled developers against exactly this type of stupidness—had been disabled by the repo’s administrator.
Testing by Seralys founder Philippe Caturegli showed that this was not a joke or hoax and that he was in a position to use the credentials within the Private-CISA repo to achieve access to multiple Amazon Web Services GovCloud accounts “at a high privilege level.”
Krebs notes that the repo gave the impression to be managed by Virginia-based Nightwing, a CISA contractor. Nightwing has to this point not commented publicly, as a substitute referring questions back to CISA.
This isn’t the primary time CISA has screwed up—in actual fact, it’s not even the primary time this yr. In January, polygraph-failing acting CISA Director Madhu Gottumukkala uploaded sensitive government documents to ChatGPT after demanding and receiving an exemption to the agency policy that prohibited ChatGPT’s use by CISA personnel. Gottumukkala was faraway from his role in February.