A CISA contractor left GovCloud admin keys on public GitHub. The file was named 'Important AWS Tokens.txt'.

A Nightwing contractor working at the Cybersecurity and Infrastructure Security Agency pushed his entire admin toolbox to a public GitHub repo on November 13, 2025. He left it there until last Friday.

The repo was named “Private-CISA,” which is the part you can’t make up. Guillaume Valadon, a researcher at GitGuardian, found it on May 14 during the firm’s continuous scan of public GitHub commits. Valadon tried to reach the owner first. When the alerts went unanswered, he sent the full file listing to KrebsOnSecurity and to CISA directly.

The files

This isn’t a “secrets accidentally checked in” story. The repo was a working personal archive of an active CISA build environment, kept public for six months, with files named exactly what their contents were. CISA’s own guidance to other agencies for years has warned that personal devices and personal repos shouldn’t touch federal credentials. Per Krebs’s screenshot and The Register’s parallel reporting, the 844 MB archive included:

• Important AWS Tokens.txt and importantAWStokens, holding admin credentials to three AWS GovCloud accounts.
• AWS-Workspace-Firefox-Passwords.csv, plaintext usernames and passwords for internal CISA systems, exported directly from a Firefox profile.
• CAWS GitHub Token.txt, a personal access token for CISA’s GitHub org.
• Kube-Config.txt, a kubeconfig pointing at the production cluster.
• external-secret-repo-creds.yaml, the credentials to CISA’s internal artifactory, the place where the agency stores its software build packages.
• Terraform infrastructure code, ArgoCD manifests, build and deploy runbooks, and Entra ID SAML certificates for the agency’s identity setup.

GitHub’s default secret-scanning protection was switched off on the repo. That has to be done manually; it is not a default someone forgets. The same contractor maintained the repo using two different identities in his commits, a CISA-issued contractor email and a personal Yahoo address, which Krebs reports is consistent with using a public GitHub as a sync tool between work and home laptops.

The AWS GovCloud piece is the part that should worry every customer in the same tenancy. GovCloud is AWS’s isolated U.S. cloud for federal workloads. Physically separate accounts, screened personnel, FedRAMP High. The admin credentials in this repo opened three of those accounts at top privilege.

How long the window stayed open

The exposure ran from November 13, 2025 to May 14, 2026, which is six months. After Krebs notified CISA on May 14, the agency took the repo offline inside 24 hours. Valadon then checked whether the leaked AWS keys still authenticated. They did, for another 48 hours after the repo came down.

Philippe Caturegli of Seralys ran the same validation independently and confirmed the keys were live and at high privilege. He told Krebs the artifactory credentials were the worst part of the haul: “That would be a prime place to move laterally. Backdoor in some software packages, and every time they build something new they deploy your backdoor left and right.”

CISA’s official statement, sent to both Krebs and The Register: “Currently, there is no indication that any sensitive data was compromised […] we are working to ensure additional safeguards are implemented to prevent future occurrences.”

“No indication” is doing a lot of work in that sentence. The repo had been public, indexable, and searchable for six months. Confirming a negative across that window means correlating CloudTrail and artifactory logs against every IP that touched the GovCloud accounts, including any that scraped GitHub’s public commit firehose during the period. That is a real audit, not a quick scan.

What this means for you

If you run security at a federal contractor or anywhere with GovCloud exposure, the action item is concrete. Audit every employee’s personal GitHub account for repos that contain credentials, regardless of the repo name. The contractor here used “Private-CISA” as a label, and GitHub honored that label as a hint, not as access control. GitGuardian, TruffleHog, and GitHub’s own Push Protection are all free at the personal-account tier and catch the case where someone has confused “private” with “named Private.”

If you’re a developer reading this and you sync between machines through a public repo, you are the next story. Use a private repo, GitHub’s Secrets Manager, or a real password manager. Personal access tokens belong in a vault, not in a checked-in file. The cost of doing this correctly is one afternoon.

For CISA specifically, the issue isn’t that an employee made a mistake. It’s that the agency’s contractor controls didn’t catch six months of public commits from a developer who was authenticating to GovCloud admin accounts. The next disclosure to watch is whether the agency mandates push protection across all CISA-issued accounts and contractor identities. If it doesn’t, the Private-CISA repo won’t be the last one.