The US’s lead cybersecurity agency has suffered an embarrassing security lapse after sensitive credentials and internal files were allegedly exposed online.
Researchers discovered that, until last weekend, a contractor working for the Cybersecurity and Infrastructure Security Agency (CISA) had left digital keys to the agency’s cloud storage accounts publicly accessible on the coding platform GitHub.
In a repository called “Private-CISA” — reportedly maintained by an employee of Virginia-based contractor Nightwing — researchers found cloud keys, authentication tokens, plaintext passwords, logs and other CISA-related assets.
Much of the exposed material appeared linked to internal CISA systems, including several high-privilege Amazon Web Services (AWS) accounts.
Some of the passwords also appeared to follow weak and predictable formats, such as a platform name followed by the current year.
It is unclear how long the information was exposed, however, Philippe Caturegli, founder of security consultancy Seralys, said the repository appeared to have been created in November 2025.
“What I suspect happened is [the contractor] was using this GitHub to synchronise files between a work laptop and a home computer, because he has regularly committed to this repository since November,” Caturegli told Krebs On Security.
“This would be an embarrassing leak for any company, but it’s even more so in this case because it’s CISA.”
Nightwing and CISA were contacted for comment but did not respond prior to publication.
CISA incident marks “worst leak” researcher has seen
After detecting the exposed credentials during a routine scan, GitGuardian researcher Guillaume Valadon contacted investigative reporter Brian Krebs, who then passed the information to contacts at CISA.
Valadon said the repository contained highly sensitive files, including “importantAWStokens” and “AWS - Workspace - Firefox - Passwords.csv”.
Despite repeated warnings, the GitHub account holder allegedly failed to respond directly.
“The repository was a catalogue of unsafe practices: plaintext passwords, backups committed to Git, and explicit instructions to disable Github's secret scanning,” Valadon wrote in a blog post.
“The exposed material provided a detailed view into cloud infrastructure, deployment workflows, software supply-chain tooling, and internal operational practices.
“This is indeed the worst leak that I’ve witnessed in my career,” he said.
Caturegli later confirmed the exposed credentials could authenticate to three AWS GovCloud accounts.
He also identified plaintext credentials tied to a CISA “artifactory” repository used to store software packages for the agency’s systems.
“That would be a prime place to move laterally,” he said.
“Backdoor in some software packages, and every time they build something new, they deploy your backdoor left and right.”
A CISA spokesperson told Krebs On Security there was no indication of sensitive data being compromised as a result of the incident.
The repository has since been taken offline.
Australia should act now
Australian security researcher and ethical hacker Jamieson O’Reilly said the conditions that produced the CISA leak are not unique to the US.
He warned that in Australia, where the federal ‘govau’ Github account has hosted upwards of 260 public repositories alone, federal and state agencies are home to a “sprawling target list” for potential attackers.
O’Reilly shared examples with Information Age that included a hashed credential file, a hardcoded API key, and evidence suggesting attempts to clean up previously exposed keys across various Australian government accounts.
“People often ask me whether attackers are genuinely scanning for this kind of thing at scale, and the answer is that they absolutely are,” he said.
“I'm not saying any of these examples are a CISA-scale incident, just that the same environment – hundreds of repositories, thousands of contributors, and a platform whose Git history is famously unforgiving once a secret has been committed – exists here in spades,” O’Reilly said.
“That's the precondition every leak of this kind needs.”
O’Reilly said Australian agencies should pay close attention to the fallout from the CISA incident and the internal reviews now likely underway across US government departments.
“My hope is that the people responsible for the equivalent work here in Australia see this and ask the obvious question of whether they actually know what's sitting in their public repositories right now,” he said.
“The cost of finding out the wrong way is considerably higher than the cost of looking first.”
