A CISA contractor with administrative access to the agency's software development platform created a public GitHub repository named "Private-CISA" that exposed plaintext AWS GovCloud credentials, dozens of internal system passwords, and sensitive information about how the U.S. government's lead cybersecurity agency builds and deploys software. The breach persisted from November 2025 until its discovery in May 2026, and security researchers who analysed the repository described it as one of the most egregious government data leaks in recent history.

What Actually Happened

On 15 May 2026, security firm GitGuardian detected a public GitHub repository maintained by a contractor of Nightwing — a government contractor based in Dulles, Virginia — working for CISA. The repository, brazenly named "Private-CISA," contained:

• Administrative credentials to three AWS GovCloud servers, stored in a file titled "importantAWStokens"
• A CSV file ("AWS-Workspace-Firefox-Passwords.csv") listing plaintext usernames and passwords for dozens of internal CISA systems
• Access keys, tokens, and configuration data for CISA's internal code development environment (LZ-DSO or "Landing Zone DevSecOps")
• Build scripts, deployment pipelines, and software architecture documentation

Security researcher Philippe Caturegli of Seralys validated that the exposed AWS GovCloud keys could authenticate at a high privilege level. He also identified that the repository appeared to be used as a personal synchronization mechanism between the contractor's work laptop and home computer — a textbook violation of enterprise credential management policy.

Why GitHub's Secret Detection Failed

The commit logs for the Private-CISA repository revealed that the contractor had manually disabled GitHub's built-in secret scanning protection. GitGuardian researcher Guillaume Valadon noted that the commit history showed explicit commands to disable GitHub's secrets detection feature — meaning the platform's automated warnings were deliberately circumvented.

"Passwords stored in plain text in a csv, backups in git, explicit commands to disable GitHub secrets detection feature. I honestly believed that it was all fake before analysing the content deeper. This is indeed the worst leak that I've witnessed in my career." — Guillaume Valadon, GitGuardian

For enterprises, this is a critical lesson: technical controls only work when they cannot be disabled by individual operators. GitHub's default secret scanning is valuable, but if any developer with admin rights can turn it off, the protection is meaningless without complementary policy enforcement.

The 48-Hour Gap: Credentials Stayed Active

After KrebsOnSecurity and Seralys notified CISA about the exposure, the GitHub account was taken offline. But remarkably, the exposed AWS GovCloud keys remained valid for another 48 hours. Caturegli confirmed that the credentials continued to authenticate throughout this window.

This delay in credential invalidation exposes a fundamental weakness in many organisations' incident response procedures. When a credential compromise is confirmed, the expected response is immediate revocation — not a multi-day investigation. Our enterprise password policy guide covers the incident response playbook for credential compromise scenarios in detail.

What the Leak Exposed: Beyond the Headlines

The Private-CISA repository contained more than just AWS keys. The exposed artifactory — CISA's internal repository of code packages used for software development — would have been a prime target for attackers looking to establish persistence through supply chain compromise. As Caturegli noted:

"That would be a prime place to move laterally. Backdoor in some software packages, and every time they build something new they deploy your backdoor left and right."

The contractor also used easily-guessable passwords for many internal resources. Multiple credentials followed the pattern of each platform's name followed by the current year — a practice that would represent a serious security threat even if those credentials had never been exposed externally. This is exactly the kind of weakness that a password strength assessment tool can help identify before it becomes a breach vector.

How Enterprises Can Prevent Similar Incidents

1. Enforce Credential Vaulting, Not File-Based Storage

No plaintext credential file should ever exist on a developer workstation. Enterprise credential vaulting platforms (such as CyberArk, HashiCorp Vault, or Keeper Business) ensure that secrets are stored in encrypted vaults with audit trails. When a developer leaves or a device is compromised, credentials can be rotated instantly across the entire organisation. 🎓 Save 50% Off

For protecting sensitive enterprise access points, a enterprise VPN solution like Hide My Name VPN provides encrypted tunnels with full audit logging — ensuring that even if credentials are exposed, network-level controls add a second layer of defence. Get PureVPN — Privacy & Security Online

2. Mandate GitHub Secret Scanning Enforcement

GitHub provides organisation-level settings that cannot be overridden by individual users. Enterprise administrators should:

• Enable secret scanning at the organisation level with push protection enforced
• Block the ability for individual users to disable secret detection
• Configure custom patterns for internal credential formats
• Set up automated alerting to the security team when secrets are detected

3. Implement Just-in-Time Access for Cloud Credentials

AWS GovCloud and other sensitive cloud environments should use just-in-time (JIT) access models where credentials are ephemeral. Instead of long-lived access keys that remain valid for months, JIT policies grant temporary credentials that expire automatically after a defined session. If the CISA contractor had been using JIT access, the leaked keys would have been useless within hours.

4. Audit Third-Party Contractor Access Rigorously

The CISA leak was perpetrated by a contractor, not a direct employee. This pattern is common in enterprise breaches — contractors often have privileged access but fewer oversight mechanisms. Organisations should:

• Apply the same (or stricter) credential policies to contractors as to employees
• Require contractors to use managed devices with DLP controls
• Conduct regular access reviews specifically targeting contractor accounts
• Restrict synchronisation of work files to personal devices

Our guide on privileged access management covers these contractor governance patterns in detail, including CyberArk safe policies and dual-control access models.

5. Deploy Network-Level Controls Even for Cloud Access

Even with perfect credential management, human error will happen. Network-level security controls provide a safety net. For remote and hybrid teams, a reliable VPN infrastructure like Turbo VPN ensures that all traffic to sensitive systems is encrypted and routed through authenticated gateways, making credential theft far less valuable to attackers.

The CISA Context: A Stretched Agency

This breach occurred against the backdrop of significant internal disruption at CISA. The agency has lost nearly a third of its workforce and almost all of its senior leadership under the current administration, with early retirements, buyouts, and resignations across divisions.

The weakened security posture at the very agency charged with protecting U.S. critical infrastructure is deeply concerning. Lawmakers from both parties — including Senator Maggie Hassan (D-NH) and Representative Bennie Thompson (D-MS) — have demanded answers, sending formal letters to CISA's acting director questioning how such a lapse could occur.

Enterprise Security Is Only as Strong as Your Password Policy

At its core, the CISA credential leak is a password policy failure. Plaintext passwords stored in CSV files, weak credential patterns, and the absence of automated secret detection all trace back to inadequate enterprise password governance. For compliance teams reconciling multiple frameworks, our NIST vs ISO 27001 password requirements comparison provides the side-by-side analysis you need to build a unified policy.

FAQs

What was the CISA contractor leak?

A CISA contractor (employee of Nightwing) maintained a public GitHub repository called "Private-CISA" that exposed AWS GovCloud administrative credentials, plaintext passwords for dozens of internal CISA systems, and sensitive software development documentation. The repository was public from November 2025 until its discovery on 15 May 2026.

Could this leak have led to a supply chain attack?

Yes. Security researchers noted that the exposed artifactory — CISA's code package repository — would allow an attacker to backdoor software packages, which would then be deployed throughout CISA systems during routine builds.

Why did GitHub's secret detection not catch this?

The contractor manually disabled GitHub's built-in secret scanning protection. The commit logs show explicit commands to turn off the secrets detection feature, which means GitHub's automated warnings were deliberately bypassed.

How long did the AWS GovCloud keys remain valid after discovery?

The AWS GovCloud keys continued to authenticate for approximately 48 hours after CISA was notified, even though the GitHub account was taken offline. This delay represents a significant gap in the incident response process.

What should enterprises do to prevent similar credential leaks?

Enterprises should enforce credential vaulting (eliminate plaintext file storage), mandate GitHub secret scanning at the organisation level (cannot be overridden by users), implement just-in-time cloud access, audit third-party contractor access rigorously, and deploy network-level security controls as a safety net.

What compliance frameworks cover credential management?

Multiple frameworks address this. NIST SP 800-63B Rev 4 mandates blocklist screening and prohibits arbitrary complexity rules. ISO 27001:2022 Annex A controls require identity management and authentication policies. PCI-DSS v4.0 requires 12-character minimums for cardholder data environments. See our enterprise password policy guide for multi-framework reconciliation.

Should enterprises use password managers for cloud credentials?

Yes. Enterprise-grade password management solutions like Kaspersky provide credential theft protection that integrates with Active Directory. For secure team communication about credential incidents, Trekmail offers encrypted email channels that prevent sensitive discussions from being intercepted.

class="related" style="margin-top:48px;padding-top:32px;border-top:1px solid var(--s2)">

Related Articles