A contractor working with the U.S. Cybersecurity and Infrastructure Security Agency (CISA) reportedly exposed highly sensitive internal credentials and AWS GovCloud access keys through a public GitHub repository that remained online for months.
According to reporting by KrebsOnSecurity, the repository allegedly contained plaintext passwords, cloud access keys, internal configuration files, tokens, logs, and deployment-related data tied to CISA systems and infrastructure.
The exposed GitHub repository, reportedly named Private-CISA, was publicly accessible until security researchers alerted both CISA and the contractor about the exposure earlier this month.
Researchers from GitGuardian and the security consultancy Seralys said the leak included credentials capable of authenticating to multiple AWS GovCloud environments operating with elevated privileges.
The incident is already being described by some researchers as one of the most severe publicly exposed U.S. government credential leaks in recent years.
Repository allegedly exposed plaintext passwords and deployment infrastructure
The exposed archive reportedly contained files with names referencing AWS tokens, Firefox-stored passwords, deployment workflows, and internal development systems tied to CISA infrastructure.
Researchers said some files contained plaintext usernames and passwords associated with internal systems reportedly connected to the agency’s secure development and DevSecOps environments.
According to the report, commit history associated with the repository also allegedly showed that GitHub’s built-in secret scanning protections had been disabled before the credentials were uploaded publicly.
Security researchers who reviewed the repository said the exposed material suggested the GitHub account may have been used as an informal synchronization mechanism between work and personal systems rather than as a properly secured development repository.
The repository was reportedly maintained by an employee of Nightwing, a government contractor based in Virginia.
Nightwing reportedly directed media inquiries back to CISA.
Researchers warn exposure could have enabled deeper compromise
Researchers stated that some of the exposed credentials allegedly provided access to internal software package repositories and build infrastructure used by CISA teams.
That type of access could theoretically create downstream supply-chain risks if attackers were able to tamper with internally distributed software packages or development workflows.
One researcher reportedly verified that several exposed AWS GovCloud credentials remained valid even after the repository was removed from public access.
CISA acknowledged awareness of the exposure and said it is continuing to investigate the incident.
In a statement cited by KrebsOnSecurity, the agency said it currently has no indication that sensitive data was compromised as a result of the incident, though additional safeguards are reportedly being implemented.
The disclosure also raises broader concerns around credential management, contractor security practices, and operational security controls inside sensitive government-linked development environments.
