- A public GitHub repository called “Private‑CISA” exposed highly sensitive internal credentials and systems used by the US Cybersecurity and Infrastructure Security Agency
- Security researchers confirmed the authenticity of the leak, describing it as one of the worst government data exposures they had ever seen
- The repository, maintained by contractor Nightwing, was eventually locked down, with CISA pledging safeguards to prevent future incidents
Researchers have revealed details on what they called, “one of the most egregious government data leaks in recent history” involving some potentially incredibly sensitive US government information.
Security researcher Guillaume Valadon reached out to KrebsOnSecurity to help contact a person in charge of a public GitHub repository.
This person, who was not responding to messages, was operating a GitHub repository called “Private-CISA” which contained, among other things:
- AWS GovCloud administrative credentials for three accounts
- AWS access keys
- AWS tokens (including “importantAWStokens” file)
- Plaintext usernames and passwords for internal CISA systems
- “AWS-Workspace-Firefox-Passwords.csv” containing login credentials
- Credentials for internal system “LZ-DSO” (Landing Zone DevSecOps)
- Internal CISA/DHS system authentication credentials
- Credentials for internal Artifactory (software repository)
- SSH keys exposed in a public repository
"The worst leak in my career"
Valadon said the archive detailed how CISA builds and deploys software internally and that, in general, it is “the worst leak that I’ve witnessed in my career.”
In a letter shared with KrebsOnSecurity, Valadon said he first thought the entire database was fake, given the sensitivity of the files found inside. “It is obviously an individual’s mistake, but I believe that it might reveal internal practices,” he said.
Multiple security researchers confirmed the authenticity of the leak and said that at least some of the credentials found inside worked. They managed to get the repository locked down after getting in touch with the US Cybersecurity and Infrastructure Security Agency (CISA), who confirmed it was looking into the matter:
“Currently, there is no indication that any sensitive data was compromised as a result of this incident,” the CISA spokesperson allegedly wrote. “While we hold our team members to the highest standards of integrity and operational awareness, we are working to ensure additional safeguards are implemented to prevent future occurrences.”
The researchers later established that the repository was maintained by a government contractor called Nightwing, which declined to comment and directed all inquiries to CISA. It is unknown for how long the repository remained open, but it was created in mid-November 2025, and chances are it was unlocked since inception.
