The Agency That Protects America From Hackers Just Got Exposed By Its Own Contractor.

A public GitHub repository named "Private-CISA" exposed the US government's most sensitive cloud keys, plaintext passwords, and internal infrastructure secrets for six months. The irony would be funny if the stakes weren't so high.

The repository was named "Private-CISA."

It was public.

For six months — from November 2025 to May 2026 — a GitHub account maintained by a contractor working for the Cybersecurity and Infrastructure Security Agency sat open on the internet, containing administrative credentials to three Amazon AWS GovCloud accounts, plaintext usernames and passwords for dozens of internal CISA systems, Kubernetes configuration files, deployment workflow documentation, CI/CD build logs, ArgoCD application files, Terraform infrastructure code, and 844 megabytes of data describing in precise detail exactly how America's top cybersecurity agency builds, tests, and deploys its software.

AWS GovCloud is the secure cloud environment Amazon created specifically for sensitive US government data. The agencies that use it include intelligence services, military contractors, and the departments responsible for protecting critical American infrastructure.

The keys to several of those accounts were sitting in a public GitHub repository called "Private-CISA" for half a year.

GitGuardian researcher Guillaume Valadon, who discovered the exposure on May 14, 2026, said it was "the worst leak I have witnessed in my career." He initially assumed the data was fake — the sensitivity of what he was looking at was too extreme to be real.

It was real.

The Agency Whose Entire Job Is Preventing This

Before getting into what was exposed, it is worth dwelling on who CISA is — because the identity of the victim is the story.

The Cybersecurity and Infrastructure Security Agency is the United States government's lead authority on cybersecurity. It issues the vulnerability advisories that every IT team in America watches. It maintains the Known Exploited Vulnerabilities catalog that tells federal agencies which flaws to patch immediately. It publishes the guidance that shapes how both public and private sector organizations defend their infrastructure.

CISA is, in other words, the organization that tells everyone else how not to get hacked.

A contractor working for CISA maintained a public GitHub repository containing plaintext passwords with patterns like "PlatformName2025" — the kind of passwords CISA explicitly tells everyone not to use — and disabled GitHub's built-in feature that automatically blocks users from publishing SSH keys and secrets in public repositories.

The commit logs confirm this. The contractor did not accidentally publish secrets to a public repo. They deliberately turned off the protection designed to prevent it.

What Was Actually Inside "Private-CISA"

The scope of what the repository contained is worth understanding in detail, because the exposure was not just a few leaked passwords.

The repository allegedly contained access to CISA software repositories, raising concerns about software supply chain and CI/CD security risks.

Let me explain why that matters.

CI/CD pipelines — Continuous Integration and Continuous Deployment systems — are the automated processes that take code written by developers and push it into production. If an attacker gains access to a CI/CD pipeline, they can inject malicious code into software that will then be automatically deployed to production systems. This is not theoretical. The SolarWinds attack in 2020 — which compromised 18,000 organizations including multiple US government agencies — used exactly this technique.

Researchers said the exposure included access to CISA's internal artifactory systems, raising concerns attackers could tamper with software packages, inject malicious code, or maintain persistent access through trusted deployments.

The Kubernetes manifests and ArgoCD files exposed in the repository describe the architecture of CISA's internal systems — which systems talk to which other systems, what permissions each component has, how deployments are structured. This is the blueprint an attacker needs to move laterally through an environment after gaining initial access.

The repository contained files describing how CISA builds, tests and deploys software internally, and that it represents one of the most egregious government data leaks in recent history.

The 48 Hours That Should Have Been Zero

Here is the detail that, to my mind, is more damaging than the six-month exposure itself.

Some of the leaked AWS keys remained valid for approximately 48 hours after CISA was notified of the breach and the GitHub repository was taken offline.

Read that carefully.

GitGuardian notified CISA. The repository was taken down. And for 48 hours after the repository was gone — after CISA knew the keys were compromised — those keys still worked. An attacker who had downloaded the repository contents before takedown could have used those credentials to access highly privileged AWS GovCloud accounts for two full days after CISA was aware of the problem.

The standard response to a credential exposure is immediate revocation. Change the password. Rotate the key. Invalidate the token. This is Security Incident Response 101. It is in every playbook, including the playbooks CISA publishes for other organizations to follow.

That 48-hour window between repository removal and key revocation is a serious procedural failure. Any sophisticated adversary who had already downloaded the repository — and had six months to do so — had more than enough time to act.

The Congressional Response

The political fallout was immediate.

On May 19, 2026, Axios reported that Sen. Maggie Hassan requested an urgent classified briefing from acting CISA director Nick Andersen. The letter requested details on how the exposure happened, what was exposed, what steps CISA took to limit damage, and which contractor was responsible.

This week, lawmakers in both houses of Congress escalated their demands, requesting answers about how a contractor could maintain a public repository named "Private-CISA" for six months without internal controls triggering an alert, and about the 48-hour delay in revoking compromised credentials.

CISA's response has been consistent: the agency is investigating and has found no evidence that the exposed credentials were actually misused. That statement is technically defensible — absence of evidence of misuse is not evidence of misuse. But it is also cold comfort given that the repository was publicly accessible for six months and that the sophistication required to quietly exploit CI/CD pipeline access leaves minimal forensic trace.

The Contractor Behind the Repository

The "Private-CISA" GitHub repository was maintained by a contractor employed by Nightwing, a government contractor based in Dulles, Virginia.

Nightwing is a defense and intelligence contractor. The individual responsible for the repository apparently used it as a synchronization point between personal devices — a way to keep files consistent across multiple machines. A convenient workflow solution that happened to contain the administrative credentials for US government cloud infrastructure.

The commit logs in the offending GitHub account show that the CISA administrator disabled the default setting in GitHub that blocks users from publishing SSH keys or other secrets in public code repositories.

This was not an accidental misconfiguration. GitHub's default behavior is to warn and block when secrets are detected. The contractor actively disabled that protection. The repository then sat, publicly accessible, named "Private-CISA," for six months — while security researchers, foreign intelligence services, cybercriminals, and anyone else who happened to search GitHub could find it, read it, and download it.

What Every IT Organization Should Take From This

The CISA incident is embarrassing in proportion to CISA's role. But the failure modes it demonstrates are universal. They happen in enterprise environments, in startups, in government agencies, and in small businesses every day.

Contractors are an extension of your attack surface.

CISA's systems were not directly compromised. A contractor's practices compromised access to CISA's systems. The security of your organization is bounded not by your own policies but by the weakest security practices of everyone who has access to your systems — vendors, consultants, temporary staff, and contractors. Every privileged access grant to an external party is a risk that your policies cannot directly control.

The SolarWinds attack compromised 18,000 organizations through a trusted software vendor. The CISA exposure came through a trusted contractor. The pattern is consistent: attackers and accidents both exploit the trusted relationships that organizations cannot audit as thoroughly as their own staff.

Secrets in code repositories is a solved problem — if you enforce the solution.

GitHub's secret scanning feature exists specifically to prevent this. It is on by default. The contractor disabled it. Every organization using GitHub, GitLab, or any code repository should verify that secret scanning and push protection are enabled — and that no one has disabled them.

Beyond platform controls, secrets management tools like HashiCorp Vault, AWS Secrets Manager, and Azure Key Vault exist to ensure that credentials never appear in code or configuration files at all. If your development team is storing passwords in configuration files that end up in repositories, you have the same vulnerability that exposed CISA's infrastructure — regardless of whether your repository is public or private.

"No evidence of misuse" is not a clean bill of health.

When an organization says it has found no evidence that exposed credentials were misused, it means their forensic investigation did not find evidence of misuse — not that misuse did not occur. Sophisticated attackers operating through compromised CI/CD pipelines leave minimal forensic trace. The absence of a smoking gun in a six-month exposure of infrastructure credentials is not reassuring. It is a reflection of how hard these intrusions are to detect after the fact.

The 48-hour credential revocation failure is the most teachable moment.

Your incident response plan should have a maximum acceptable time to revoke compromised credentials — and that time should be measured in minutes, not hours. The moment a credential is known to be compromised, it should be revoked. Not after the repository is taken down. Not after a meeting to assess the situation. Immediately. Automated credential rotation, triggered by secret scanning alerts, is the architectural response to this failure mode.

The Irony That Will Outlast the Investigation

There is a version of this story that is simply embarrassing: a contractor made a mistake, CISA responded, the investigation is ongoing, no damage confirmed.

That version is probably true.

But there is another version worth sitting with. CISA publishes advisories warning organizations about credential exposure in public repositories. CISA's Known Exploited Vulnerabilities catalog exists because organizations fail to patch known flaws — and CISA tries to create urgency around fixing what is already known to be broken.

The agency that exists to tell America how not to get hacked had its cloud credentials, plaintext passwords, and infrastructure blueprints sitting in a public GitHub repository named "Private-CISA" for six months.

Not because a nation-state found a sophisticated zero-day. Not because a criminal group ran a complex phishing campaign. Because a contractor disabled a default security feature and used a public repository as a file sync tool.

The most humbling breaches are not the sophisticated ones. They are the ones that happen because the basics were not followed — by the very people whose job is to make sure everyone else follows them.

Check your repositories for exposed secrets tonight. Verify your secret scanning is enabled. Review which contractors have privileged access to your systems.

And maybe name your sensitive repositories something other than "Private."

👏 If this made you check your own GitHub repositories — clap. It helps other IT managers and developers find this before their "Private" repository becomes a public incident.

For enterprise network hardware with valid manufacturer licensing — Fortinet, Cisco, SonicWall, WatchGuard — visit Jazz Cyber Shield. USA-based authorized reseller, fast US nationwide shipping.

→ jazzcybershield.com