By ByteBot
The agency responsible for securing America’s federal networks just failed at the most basic thing developers learn in week one: don’t commit credentials to a public GitHub repository. On May 15, 2026, security researcher Guillaume Valadon from GitGuardian flagged a public repo called “Private-CISA,” maintained by a Nightwing contractor working for the Cybersecurity and Infrastructure Security Agency (CISA). The repository had been sitting open since November 13, 2025 — six months of exposure. Among its contents: a file named importantAWStokens, containing admin credentials for three AWS GovCloud environments.
What Was in the CISA GitHub Repository
The 844 MB repository contained more than anyone should want to see in a public space. Beyond the GovCloud credentials, researchers found AWS-Workspace-Firefox-Passwords.csv — a plaintext CSV listing usernames and passwords for dozens of internal CISA systems. The passwords followed a pattern that any decent brute-force script would crack in minutes: platform name plus the current year. Think Slack2025, Teams2025. Add Kubernetes manifests, ArgoCD configurations, Terraform files, CI/CD build logs, and SAML certificates to the list, and you have a complete map of CISA’s internal infrastructure served up for free.
Security consultant Philippe Caturegli of Seralys confirmed the credentials were still valid at the time of discovery. Moreover, some of the AWS keys remained active for 48 hours after the repository was taken offline — meaning the window for exploitation did not close the moment GitGuardian filed the report.
The most dangerous item in the repository, however, was access to CISA’s Artifactory instance — its internal software package repository. Caturegli put it plainly: “That would be a prime place to move laterally. Backdoor in some software packages, and every time they build something new they deploy your backdoor left and right.” This is the SolarWinds playbook: compromise the build pipeline, get persistence in every downstream deployment. CISA, of all agencies, has published guidance warning about exactly this vector.
Related: GitHub Actions pull_request_target Flaw Exposed Grafana Code
The Contractor Disabled GitHub Secret Scanning on Purpose
Here is where this goes from embarrassing to indefensible. Valadon’s analysis of the commit logs found explicit commands disabling GitHub’s built-in secret detection feature. This is not a default-off setting that someone forgot to enable. GitHub secret scanning runs automatically on public repositories, for free. It catches AWS keys, GitHub tokens, and dozens of other credential formats. To disable it, you have to actively choose to.
The most charitable reading is that the contractor turned off scanning to avoid interruptions while syncing files between a work machine and a home computer — which is apparently what this repository was being used for. A less charitable reading is that they knew exactly what they were pushing and removed the guardrail deliberately. Either way, CISA’s credential hygiene was riding on a contractor using a public GitHub repo as a personal Dropbox, with the safety net cut.
CISA Is Running on One Third Fewer Staff
Context matters here, even if it does not excuse the failure. Since the start of fiscal year 2025, CISA’s workforce has dropped from approximately 3,400 to around 2,400 employees — a 29 percent reduction driven by layoffs, buyouts, and resignations under the current administration’s budget priorities. Its operational budget faces a proposed cut of over $420 million, from $2.38 billion to $1.96 billion. According to Krebs on Security, the National Risk Management Center, which handles exactly the kind of supply chain risk that Artifactory access represents, lost 73 percent of its funding. The Election Security Program was eliminated entirely.
Reduced headcount and oversight create conditions where a contractor can run a file-sync repository on a public GitHub account for six months without anyone flagging it internally. That is not bad luck — that is what understaffing looks like in practice. GitGuardian’s disclosure timeline shows nine automated emails to the commit author went unanswered before researchers escalated through journalist Brian Krebs to reach CISA directly. Once notified, CISA responded within 26 hours — but the problem ran undetected for six months because no internal system caught it first.
What Developers Should Take From This
The irony is thick but the lessons are concrete. Enable GitHub secret scanning — it is free, it runs automatically on public repos, and there is no legitimate reason to disable it. If you are syncing files between machines, use a private repository or a dedicated tool, not a public one. When credentials are exposed, rotate them immediately; 48 hours of valid keys after disclosure is 47 hours too many. And treat your build pipeline — Artifactory, npm registries, container registries — as the highest-value target in your infrastructure, because an attacker who can inject into your builds owns everything downstream.
Related: VS Code Extensions With 128M Installs Have Unpatched RCE Flaws
Key Takeaways
- A Nightwing contractor for CISA left AWS GovCloud credentials, plaintext passwords, and Artifactory access in a public GitHub repository for six months — and disabled GitHub’s secret scanning before doing so.
- The repository contained 844 MB of sensitive data, including a file named
importantAWStokensand a CSV of passwords following thePlatform2025pattern. - Artifactory access poses the highest risk: it enables attackers to poison CISA’s software build pipeline, embedding backdoors in every future deployment.
- AWS keys remained valid for 48 hours post-takedown — takedown alone is not remediation, immediate credential rotation is required.
- CISA has lost nearly one-third of its workforce since 2025; reduced oversight capacity does not excuse the failure, but it explains how six months passed without internal detection.
