- A public GitHub repository called “Private‑CISA” exposed internal credentials and highly sensitive systems used by the US Cybersecurity and Infrastructure Security Agency.
- Security researchers have confirmed the authenticity of the leak, describing it as one of the worst government data leaks they have ever seen.
- The repository, run by contractor Nightwing, was ultimately locked down, with CISA pledging to take protective measures to prevent future incidents.
Researchers have revealed details of what they called “one of the most egregious government data leaks in recent history” involving potentially incredibly sensitive US government information.
Security researcher Guillaume Valadon contacted KrebsOnSecurity to help contact someone in charge of a public GitHub repository.
This person, who did not respond to messages, operated a GitHub repository called “Private-CISA” which contained, among other things:
- AWS GovCloud administrative credentials for three accounts
- AWS Access Keys
- AWS tokens (including the “importantAWStokens” file)
- Plain text usernames and passwords for CISA internal systems
- “AWS-Workspace-Firefox-Passwords.csv” containing login information
- Identifiers for the internal system “LZ-DSO” (Landing Zone DevSecOps)
- CISA/DHS System Internal Authentication Information
- Credentials for internal Artifactory (software repository)
- SSH keys exposed in a public repository
“The worst escape of my career”
Valadon said the records detailed how CISA built and deployed software internally and that, overall, it was “the worst leak I’ve witnessed in my career.”
In a letter shared with KrebsOnSecurityValadon said he initially thought the entire database was fake, given the sensitivity of the files found inside. “It’s obviously an individual error, but I think it could reveal internal practices,” he said.
Several security researchers confirmed the authenticity of the leak and said that at least some of the credentials found inside worked. They managed to lock down the repository after contacting the US Cybersecurity and Infrastructure Security Agency (CISA), which confirmed it was looking into the matter:
“Currently, there is no indication that any sensitive data has been compromised as a result of this incident,” the CISA spokesperson reportedly wrote. “While requiring our team members to adhere to the highest standards of integrity and operational awareness, we strive to ensure additional protective measures are implemented to prevent future events. »
Researchers later established that the repository was run by a government contractor called Nightwing, which declined to comment and directed all inquiries to CISA. It is unclear how long the repository remained open, but it was created in mid-November 2025 and it is likely that it has been unlocked since its creation.
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds.
