Until this past weekend, the contractor for the Cybersecurity & Infrastructure Security Agency (CISA) has kept the public GitHub a last resort that has revealed credentials to a privileged few AWS GovCloud accounts and a large number of internal CISA systems. Security experts said the public archive includes files detailing how CISA builds, tests and distributes software internally, and that it represents the worst government data leak in recent history.
On May 15, KrebsOnSecurity heard from Guillaume Valadona researcher with a securities firm GitGuardian. Valadon’s company regularly scans public code repositories on GitHub and elsewhere for exposed secrets, automatically alerting offending accounts of any seemingly serious data exposures. Valadon said he reached out because the owner in this case was not responding and the information disclosed was very sensitive.
Fixed screenshot of the now defunct “Secret CISA” vault maintained by a CISA contractor.
The GitHub site flagged by Valadon was named “Confidential – CISA,” and contains a large amount of internal CISA/DHS information and files, including cloud keys, tokens, plain text passwords, logs and other sensitive CISA assets.
Valadon said the leaked CISA data represents a textbook example of poor security hygiene, noting that the offending GitHub account’s logs show that a CISA administrator disabled an automatic setting on GitHub that prevents users from publishing SSH keys or other secrets to public code.
“Passwords stored in plain text in csv, backups in git, clear instructions to disable GitHub’s password recovery feature,” Valadon wrote in an email. “I honestly believed it was all a lie before analyzing the content in depth. This is the worst leak I’ve seen in my career. It’s clearly an individual fault, but I believe it may reveal internal processes.”
One of the leaked files, titled “importantAWStokens,” includes administrative credentials for three Amazon AWS GovCloud servers. Another leaked file in their public GitHub repository — “AWS-Workspace-Firefox-Passwords.csv” — lists usernames and passwords for dozens of CISA internal systems. According to Caturegli, those programs included one called “LZ-DSO,” which appears to be short for “Landing Zone DevSecOps,” the center’s secure code development area.
Philippe Catureglithe inventor of defense Seralyshe said he checked AWS keys to see if they were still valid and to determine what internal systems the exposed accounts could access. Caturegli said that the GitHub account that revealed the secrets of CISA shows a pattern consistent with each user using the repository as an active scratchpad or synchronization mechanism instead of a selected project repository.
“The use of both a CISA-related email address and a personal email address suggests that the cache is used in separate configurations,” Caturegli noted. “The available Git metadata alone does not prove which repository or device was used.”
CISA’s private GitHub repo has exposed a wealth of bare-bones documentation evidence for CISA GovCloud’s core resources.
Caturegli said he confirmed that the leaked information could prove three AWS GovCloud accounts at the highest level. He said the archive also includes open-text information on CISA’s internal “art factory” – essentially a repository of all the code packages they use to build software – and that this would represent a target for malicious attackers looking for ways to maintain continued adherence to CISA’s systems.
“That would be a key area for lateral movement,” he said. “Backdoor in other software packages, and every time they build something new they put your backdoor in left and right.”
In response to questions, a CISA spokesperson said the agency is aware of the reported disclosure and is continuing to investigate the situation.
“At this time, there is no indication that any sensitive information has been compromised as a result of this incident,” a CISA spokesperson wrote. “While we hold our team members to the highest standards of integrity and operational awareness, we are working to ensure that additional safeguards are implemented to prevent future occurrences.”
A review of the GitHub account and its exposed passwords shows that the “private CISA” repository was maintained by an employee of Sleeping at nightgovernment contractor based in Dulles, Va. Nightwing declined to comment, referring questions to CISA.
CISA did not respond to questions about the possible date of disclosure of the data, but Caturegli said that the Private CISA repository was created on November 13, 2025. The contractor’s GitHub account was created back in September 2018.
The GitHub account containing the Private CISA repo was taken offline immediately after KrebsOnSecurity and Seralys notified CISA about the disclosure. But Caturegli said the exposed AWS keys continued to work for another 48 hours.
CISA currently operates at a fraction of its normal budget and staffing levels. The agency has lost nearly a third of its workforce since the start of Trump’s second administration, which has forced a series of early retirements, buyouts, and resignations at various levels of the agency.
The now defunct Private CISA repo showed that the contractor also used easily guessed passwords for a number of internal resources; for example, many credentials use a password consisting of each domain name followed by the current year. Caturegli said such practices would constitute a serious security threat to any organization even if those credentials were never exposed externally, noting that malicious actors often use key credentials exposed on an internal network to extend their access after gaining initial access to a target system.
“What I suspect is that it happened [the CISA contractor] he was using this GitHub to sync files between his work laptop and his home computer, because he’s been committed to this repo since November 2025,” said Caturegli. “This would be an embarrassing leak for any company, but it’s even more important in this case because it’s CISA.”
