- A public GitHub repository called “Private-CISA” exposed highly sensitive internal credentials and systems used by the US Cybersecurity and Infrastructure Security Agency.
- Security researchers confirmed the authenticity of the leak and described it as one of the worst exposures of government data they have ever seen.
- The repository, maintained by contractor Nightwing, was eventually shut down and CISA promised safeguards to prevent future incidents.
Investigators have revealed details about what they called “one of the most egregious government data breaches in recent history” involving potentially incredibly sensitive US government information.
Security researcher Guillaume Valadon contacted KrebsOnSecurity to help contact a person in charge of a public GitHub repository.
This person, who did not respond to messages, was operating a GitHub repository called “Private-CISA” that contained, among other things:
- AWS GovCloud administrative credentials for three accounts
- AWS access keys
- AWS tokens (including the “importantAWStokens” file)
- Plain text usernames and passwords for internal CISA systems
- “AWS-Workspace-Firefox-Passwords.csv” containing login credentials
- Credentials for internal system “LZ-DSO” (Landing Zone DevSecOps)
- CISA/DHS Internal System Authentication Credentials
- Credentials for internal Artifactory (software repository)
- SSH keys exposed in a public repository
“The worst escape of my career”
Valadon said the file details how CISA builds and deploys software internally and that overall it is “the worst breach I have ever witnessed in my career.”
In a letter shared with KrebsOnSecurityValadon said he initially thought the entire database was fake, given the sensitivity of the files found inside. “It’s obviously an individual error, but I think it could reveal internal practices,” he said.
Several security researchers confirmed the authenticity of the leak and said that at least some of the credentials found inside worked. They managed to block the repository after contacting the US Cybersecurity and Infrastructure Security Agency (CISA), who confirmed that they were investigating the matter:
“There is currently no indication that any sensitive data has been compromised as a result of this incident,” the CISA spokesperson reportedly wrote. “While we hold our team members to the highest standards of integrity and operational awareness, we are working to ensure additional safeguards are in place to prevent future incidents.”
Researchers later established that the repository was maintained by a government contractor called Nightwing, who declined to comment and directed all inquiries to CISA. It is unknown how long the repository remained open, but it was created in mid-November 2025 and has likely been unlocked since its inception.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds.
