CISA Credentials Exposed in Public GitHub Repo Since 2025

Security researcher Brian Krebs has brought to light a significant security lapse at America's Cybersecurity and Infrastructure Security Agency (CISA). A large store of plaintext passwords, SSH private keys, tokens, and other sensitive CISA assets had been exposed in a public GitHub repository since at least November 2025.

The now-offline public repo was named Private-CISA. It was brought to Krebs' attention by Guillaume Valadon of GitGuardian, who was alerted to the repo's presence by GitGuardian's public code scans. Valadon approached Krebs after receiving no responses from the Private-CISA repo's owner.

In an email to Krebs, Valadon claimed that the repo's commit logs show that GitHub's default protections against committing secrets had been disabled by the repo's administrator. These protections are designed to protect unwitting or unskilled developers against exactly this kind of error.

Testing by Seralys founder Philippe Caturegli confirmed that this was not a joke or hoax. He was able to use the credentials in the Private-CISA repo to gain access to multiple Amazon Web Services GovCloud accounts at a high privilege level.

Krebs notes that the repo appeared to be managed by Virginia-based Nightwing, a CISA contractor. Nightwing has so far not commented publicly, instead referring questions back to CISA.

This isn't the first time CISA has screwed up. In fact, it's not even the first time this year. In January, polygraph-failing acting CISA Director Madhu Gottumukkala uploaded sensitive government documents to ChatGPT after demanding and receiving an exemption to the agency policy that prohibited ChatGPT's use by CISA personnel. Gottumukkala was removed from his role in February.