Key Takeaways
- A public GitHub repository named “Private‑CISA” exposed plain‑text passwords, API keys, and tokens belonging to the U.S. Cybersecurity and Infrastructure Security Agency (CISA).
- The leaked data included administrative credentials for three AWS GovCloud servers and a CSV file with usernames and passwords for dozens of internal CISA systems, such as the Landing Zone DevSecOps (LZ‑DSO) environment.
- GitGuardian researcher Guillaume Valadon called the incident “the worst leak I’ve witnessed in my career,” though CISA stated there is no evidence that the data was actually compromised.
- The repository existed from November of the previous year, meaning the vulnerability persisted for roughly six months before being remediated over the weekend the report was published.
- The episode highlights broader challenges facing CISA, including political turbulence during the Trump administrations, frequent leadership turnover, and ongoing funding pressures.
Discovery of the Leak
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) inadvertently left a trove of sensitive credentials exposed in a public GitHub repository, according to a Krebs on Security investigation. The repository, bluntly titled “Private‑CISA,” was accessible to anyone with an internet link and contained files stored in plain text rather than encrypted or hashed form. Security researchers discovered the leak after noticing unusual activity in the agency’s public code‑sharing practices. The exposure remained unnoticed for an unknown period, raising alarms about how a federal cybersecurity body could mishandle its own digital keys.
Contents of the Exposed Repository
Among the files uncovered were two especially sensitive documents. One, named “importantAWStokens,” held administrative access keys for three Amazon Web Services (AWS) GovCloud servers used by CISA for classified or sensitive workloads. The other, “AWS-Workspace-Firefox-Passwords.csv,” listed plaintext usernames and passwords for dozens of internal CISA systems, including a system referred to as “LZ‑DSO,” which stands for Landing Zone DevSecOps—the agency’s secure code development and testing environment. Because the credentials were stored in clear text, anyone who cloned the repository could immediately use them to gain unauthorized access to CISA’s cloud infrastructure and internal applications.
CISA’s Official Response
When approached by Krebs on Security, CISA issued a brief statement emphasizing that, as of the time of the report, there was “no indication that any sensitive data was compromised as a result of this incident.” The agency affirmed its commitment to high standards of integrity and operational awareness, while acknowledging that additional safeguards would be implemented to prevent similar occurrences. The response attempted to reassure stakeholders but did not elaborate on how the leak occurred or why the data remained exposed for months.
Timeline and Duration of the Vulnerability
Krebs reported that the “Private‑CISA” repository was created in November of the preceding year, suggesting the vulnerability persisted for approximately six months before being remediated over the weekend the story broke. However, the exact window could be shorter if sensitive material was added later; conversely, if the repository had been populated early and left untouched, the exposure might have lasted even longer. This window of opportunity underscores the risks inherent in relying on public platforms like GitHub for internal workflows without proper access controls or secret‑scanning tools.
Origins and Legislative Background of CISA
CISA was established in 2018 as a component of the Department of Homeland Security (DHS) through the Cybersecurity and Infrastructure Security Agency Act, a bill signed into law by President Donald Trump during his first term. The agency’s mandate is to protect the nation’s critical infrastructure from cyber and physical threats, coordinating efforts across federal, state, local, tribal, and territorial partners, as well as the private sector. Despite its legislative birth under Trump, CISA’s early years were marked by rapid growth and an evolving mission to address rising ransomware, election‑security, and supply‑chain risks.
Trump’s Turbulent Relationship with CISA
During the latter part of Trump’s first administration and the transition period after the 2020 election, CISA leadership became a focal point of political tension. The agency issued statements affirming the security of the 2020 election, which contradicted claims of widespread fraud promoted by the former president and his allies. In response, Trump dismissed the CISA director he had appointed, Chris Krebs, and later appointed acting directors who never received Senate confirmation. Upon returning to office in a second term, Trump reportedly sought to slash CISA’s budget, further destabilizing the agency’s ability to retain experienced staff and maintain robust defenses.
Contractor Nightwing and the GitHub Misstep
The Krebs investigation traced the leak to an employee of a government contractor named Nightwing, who used a personal GitHub account to transfer work files from a government device to a home computer—a practice akin to emailing documents to oneself but far less secure. By pushing internal scripts, configuration files, and credential lists to a public repository, the contractor inadvertently exposed CISA’s secrets to the broader internet. This behavior highlights the dangers of “shadow IT” practices, where convenient workarounds bypass official security policies, especially when contractors operate under differing security cultures.
Specific Exposed Files and Their Implications
The “importantAWStokens” file gave anyone with the repository link the ability to assume administrative control over three AWS GovCloud environments, potentially allowing the exfiltration, modification, or destruction of sensitive data hosted there. Meanwhile, the “AWS-Workspace-Firefox-Passwords.csv” file contained clear‑text login credentials for numerous internal applications, including development tools, monitoring dashboards, and possibly email or VPN gateways. With such credentials, an attacker could pivot laterally within CISA’s network, planting backdoors or ransomware without triggering many traditional defenses that rely on perimeter protection.
Expert Reaction and Broader Lessons
Guillaume Valadon, a security researcher at GitGuardian—a firm that specializes in scanning public code repositories for leaked secrets—described the incident as “the worst leak I’ve witnessed in my career.” His assessment stems not only from the volume and sensitivity of the data but also from the fact that a federal agency tasked with defending the nation’s cyber infrastructure failed to protect its own credentials. The episode reinforces the need for mandatory secret‑scanning integration in CI/CD pipelines, enforced least‑privilege access policies, regular audits of public repositories, and mandatory security training for contractors who handle government data. It also serves as a stark reminder that even the most security‑focused organizations are vulnerable when human error, lax policies, or inadequate tooling allow secrets to slip into the open.