The Circuitry
THE CIRCUITRYYour one-stop source for all tech news
HOMETODAYNEWSFEEDEVENTS
BOOKMARKS
RSS
© 2026 The Circuitry
About UsSourcesContactCorrectionsPrivacy
  • Today
  • Feed
  • Events
  • Saved
Scroll for more
Verification
VERIFIEDConfidence: HIGH
Source identified
Claims cross-referenced
No discrepancies found
Sourcing
1source

via Ars Technica

Ars Technica · track record
25Stories
100%Verified
830d
All sources →
Home/Tech/CISA Credentials Exposed in Public GitHub Repo Since 2025
VERIFIEDBy Xavier Rivera· ·1.5 min read

CISA Credentials Exposed in Public GitHub Repo Since 2025

CISA had plaintext passwords, SSH private keys, tokens and other sensitive assets exposed in a public GitHub repo named Private-CISA since at least November 2025. The repo's administrator disabled GitHub's default secret protections, a contractor managed it, and testing confirmed high-privilege AWS GovCloud access was possible.

Source:Ars Technica
Post
CISA Credentials Exposed in Public GitHub Repo Since 2025
TL;DRAI · 60 sec read

A public GitHub repo exposed CISA plaintext passwords, SSH keys, and tokens since November 2025. Researcher Brian Krebs learned of the Private-CISA repository through GitGuardian scans after its owner ignored alerts. The credentials allowed high-privilege access to multiple AWS GovCloud accounts. A contractor had disabled GitHub's secret protections. This marks another major security failure for the agency this year.

Security researcher Brian Krebs reported that America’s Cybersecurity and Infrastructure Security Agency (CISA) left a large collection of plaintext passwords, SSH private keys, tokens, and additional sensitive agency materials exposed inside a public GitHub repository since at least November 2025.



The repository, now taken offline and previously called Private-CISA, came to Krebs’s notice through GitGuardian’s Guillaume Valadon. Valadon learned of the repository via GitGuardian’s public code scans and contacted Krebs only after the repository owner failed to reply.


POST FROM @arstechnica· official tweet from source outlet promoting the exact article
https://x.com/arstechnica/status/2056805273025876192

In an email to Krebs, Valadon stated that the repository’s commit logs indicated GitHub’s default safeguards against committing secrets—mechanisms meant to shield inexperienced or careless developers from precisely this sort of mistake—had been turned off by the repository administrator.


From The CircuitryThe Feed — live briefs across tech, all day.See what’s happening →

Tests conducted by Seralys founder Philippe Caturegli verified that the repository was neither a prank nor a fabrication. Caturegli successfully employed the credentials found inside Private-CISA to obtain high-privilege access across multiple Amazon Web Services GovCloud accounts.



Krebs reported that the repository seemed to be administered by Nightwing, a Virginia-based contractor working for CISA. Nightwing has declined to issue any public statement and has instead directed all inquiries back to CISA.


This is not the first misstep by CISA; it is not even the first one this year. In January, acting CISA Director Madhu Gottumukkala—who had previously failed a polygraph—uploaded sensitive government documents to ChatGPT after securing an exemption from the agency’s ban on its use by personnel. Gottumukkala was removed from the position in February.

EXPERT TAKE

Disabling GitHub secret commit protections in a contractor-managed repo allowed prolonged high-privilege exposure of CISA credentials to AWS GovCloud.

Why this mattersAI · ~100 words

Tap a lens to see what this story means for you.

Reader-supported
DonateBuy me a coffee →Follow@thecircuitry_ →Follow@thecircuitry.to →

Reader-supported · Daily Brief

Daily brief at 7 AM ET. Top tech stories, every morning. Sourced and fact-checked.

HELP US IMPROVE
From The Circuitry

See what’s happening right now

The Feed runs all day — short, verified briefs the moment they break.

Open the Feed →
From The Circuitry

Follow @thecircuitry_

Every story we publish, as it happens. No noise between.

Follow on X ↗On Bluesky ↗

Reader-supported

The Circuitry is a passion project I've always wanted to build, and I love the work behind it.

Running it costs real money. APIs, hosting, time. To keep improving the site and growing this into something useful for everyone, those costs have to be covered.

Any contribution is appreciated. If not, no pressure. Thanks for reading.

Buy me a coffee
CISAGitHubCybersecurityCredentialsDataExposure
More fromArs Technica
  • Blue Origin reportedly raising up to $10B in first private capital round

    Tech · 2d
  • FCC set to end Biden-era mandate on itemizing ISP passthrough fees

    Tech · 3d
  • Netflix now demands separate email logins for each profile

    Tech · 13d
More inTech
  • Progress tells ShareFile on-premises users to power down servers over reported threat

    Tech · 3m
  • China imposes temporary helium export ban

    Tech · 17m
  • Hackers exploit critical auth bypass in Gitea Docker image

    Tech · 29m
SupportThe Work

The Circuitry is reader-supported. If you find the daily brief useful, you can buy me a coffee to keep it going.

Buy a coffee →
SubscribeCircuitry Brief

Daily brief at 7 AM ET. Top tech stories, every morning.

MORE IN TECH

Progress tells ShareFile on-premises users to power down servers over reported threat

Progress Software has begun contacting organizations that run Storage Zone Controllers for its ShareFile platform, directing them to turn off the associated Windows servers at once because of what the firm calls a "credible external security threat" aimed at the on-premises component. Cloud access has been blocked as a precaution while the company and outside experts investigate.

China imposes temporary helium export ban

China enacted a temporary helium export ban on July 10, 2026 to safeguard domestic supplies amid ongoing Middle East supply risks. The step highlights concerns over prolonged global shortages of the irreplaceable gas used in chipmaking and medical imaging.

Hackers exploit critical auth bypass in Gitea Docker image

Attackers are exploiting CVE-2026-20896 in Gitea’s official Docker image to impersonate any user via a single trusted header. The critical flaw affects default configurations of instances up to version 1.26.2, prompting urgent upgrades to 1.26.4 and log reviews.