The US Cybersecurity and Infrastructure Security Agency; the very body responsible for protecting government systems from cyberattacks has been caught leaving its own sensitive credentials sitting in a public GitHub repository for months. A contractor working for CISA published 844MB of highly sensitive data to a public repository named “Private-CISA” and left it accessible from November 2025 until May 2026. Security researchers who found it called it one of the worst government data leaks they had ever seen.
What is CISA
CISA is the US government agency responsible for defending federal networks, critical infrastructure, and civilian government systems from cyberattacks. It advises government departments on security practices, issues alerts about active threats, and coordinates the national response to major cyber incidents. The fact that this leak came from inside CISA makes it particularly serious.
How the Leak was Discovered
On May 14, 2026, cybersecurity firm GitGuardian detected a public GitHub repository named Private-CISA while running its automated scans of public code repositories. GitGuardian’s system automatically alerts repository owners when sensitive data is found. By May 13, the firm’s Good Samaritan program had already sent nine emails to the commit author. No response came. On May 14 at 4:14 PM CET, GitGuardian filed a formal report through the CERT/CC portal. By the morning of May 15 there was still no response. GitGuardian researcher Guillaume Valadon then contacted journalist Brian Krebs, who had direct contacts at CISA. CISA was reached on May 15 at around 4 PM CET. The repository was taken offline around 6 PM EST the same day less than 26 hours after GitGuardian made formal contact.
Also read; http://LG Will Release The First LG 1000Hz gaming monitor and a 1080p gaming monitor this year
Is Reddit Down Today- May 18, 2026, Outage Explained, What Happened and When It Was Fixed
What was inside the Repository
The repository contained 844MB of data spread across the working tree and Git history. What was inside was alarming. One file was titled importantAWStokens and contained administrative credentials for three Amazon AWS GovCloud servers. Another file — AWS-Workspace-Firefox-Passwords.csv — listed plaintext usernames and passwords for dozens of internal CISA systems. One of those systems was called LZ-DSO, which appears to stand for Landing Zone DevSecOps, CISA’s secure code development environment.
Beyond those files, the repository also contained CI/CD build logs, Kubernetes manifests, deployment workflow documentation, GitHub Actions workflows, Terraform infrastructure code, internal documentation backups, scripts for GitHub and infrastructure operations, and references to AWS accounts, IAM identities, and secret management paths. Security researchers said the repository gave a detailed view of CISA’s cloud infrastructure, deployment workflows, and internal operations.
Passwords were still working
Philippe Caturegli, founder of security firm Seralys, tested the AWS keys found in the repository. They still worked. They gave high-level access to three AWS GovCloud accounts. Caturegli warned that access to CISA’s internal software package manager was also exposed a prime target for anyone wanting to inject malicious code into government software builds. Every time CISA deployed new software, a backdoor planted in the package manager would go with it.
How it Happened
The leak was caused by a contractor working for Nightwing, a Dulles, Virginia-based government contractor. The person appears to have been using their public GitHub account to sync files between a work laptop and a home computer — similar to emailing documents to yourself but far less secure. The account had been active since 2018. Commits to the Private-CISA repository had been happening since November 13, 2025.
Making things worse, the contractor had deliberately disabled GitHub’s built-in secret scanning feature. This is a default setting that blocks users from accidentally publishing SSH keys or other credentials to public repositories. The contractor turned it off. Guillaume Valadon described it as a textbook case of poor security hygiene. He said the passwords were stored in plain text in a CSV file, backups were committed to Git, and there were explicit commands to disable GitHub’s own protections. He added that it was the worst leak he had witnessed in his career.
OpenAI Codex Says Codex Is Coming To Your Phone
Inside the World of Teen Cybercrime- How Teens Get Involved, Real Cases and How to Stay Safe
The passwords used for critical systems were also weak. Reports indicate the contractor used patterns like the platform name followed by the current year among the most easily guessed passwords possible for any system.
CISA’s Response
CISA acknowledged the incident and gave a short statement. The agency said there is currently no indication that any sensitive data was compromised as a result of this incident and that it is working to ensure additional safeguards are implemented to prevent future occurrences. Nightwing declined to comment and directed all questions to CISA.
Context- CISA Under Pressure
This leak comes at a difficult time for CISA. The agency has lost nearly one-third of its workforce since the start of the second Trump administration. Staff numbers dropped from around 3,400 to approximately 2,400 by late 2025 through forced retirements, voluntary buyouts, and resignations. The agency’s budget faces a proposed cut of over $420 million. This is not CISA’s first embarrassment of 2026 either. Earlier this year, acting director Madhu Gottumukkala uploaded sensitive documents to the public version of ChatGPT, raising separate concerns about data handling inside the agency.
When did the CISA GitHub Leak data leak happen?
The repository was publicly accessible from November 13, 2025 until May 15, 2026 when CISA took it offline after being alerted by GitGuardian and Brian Krebs.
What data was exposed in the Cisa GitHub leak?
AWS GovCloud admin credentials, plaintext passwords for dozens of internal systems, CI/CD build logs, Kubernetes manifests, deployment workflows, Terraform code, and internal documentation.
Who found the CISA GitHub leak?
GitGuardian, a cybersecurity firm that scans public code repositories for exposed secrets. Researcher Guillaume Valadon flagged the issue and contacted Brian Krebs after the repository owner did not respond.
Conclusion
A CISA contractor left 844MB of highly sensitive government data including live AWS GovCloud keys and plaintext passwords publicly accessible on GitHub for six months. The contractor disabled GitHub’s own security protections and used weak, guessable passwords. Security researchers described it as one of the worst government data leaks in recent history. CISA says no data was compromised but the exposure of live credentials that still worked when tested raises serious questions about the agency’s oversight of its own contractors and internal security practices.