"My main fear … is that a state actor will get the data and might be able to do bad stuff," GitGuardian security researcher Guillaume Valadon said after discovering a public GitHub repository that, the firm reported, exposed privileged credentials tied to the Cybersecurity and Infrastructure Security Agency.
The exposed repository: "Private-CISA" and what leaked
Security firm GitGuardian said it discovered a public GitHub repository last week that exposed credentials for privileged AWS GovCloud accounts and internal CISA systems dating back to November. The repository was reportedly named "Private-CISA" and, according to reporting, was maintained by a contractor. Krebs on Security first reported the incident.
Valadon said he initially thought the repository might be fake, but after confirming the data he called the leak one of the worst he’d ever seen. He warned that state-based attackers who obtained the credentials "might be able to gain persistence," and added that persistence inside a government system could be "even worse than an attacker destroying everything."
Capitol Hill demands: Thompson, Ramirez, and Senator Hassan seek briefings
Congressional Democrats pressed CISA for answers. Mississippi Rep. Bennie Thompson, the top Democrat on the Homeland Security Committee, and Delia Ramirez, the top Democrat on the panel’s cyber subcommittee, sent a letter to CISA’s acting director, Nick Andersen, requesting a briefing. They asked for details on "how this serious security lapse occurred, any potential security consequences, remediation activities, corrective actions related to the contractor personnel involved, and efforts to monitor for and prevent similar activity from occurring in the future."
Sen. Maggie Hassan, D-N.H., separately requested a classified briefing to learn which systems were exposed, what forensic work CISA performed to evaluate potential damage, and what corrective actions the agency has taken. Hassan wrote that the reported incident "raises serious questions about how such a security lapse could occur at the very agency charged with helping to prevent cyber breaches," calling particular attention to CISA’s internal policies and procedures.
Both letters singled out personnel and budget cutbacks at the agency as a potential contributor to the incident.
CISA and Nightwing: acknowledgement, investigation, and referral
CISA issued a brief statement saying it was "aware of the reported exposure and is continuing to investigate the situation." The agency added, "Currently, there is no indication that any sensitive data was compromised as a result of this incident," and said it is working "to ensure additional safeguards are implemented to prevent future occurrences." A Nightwing spokesperson, for the contractor reportedly maintaining the repository, referred questions to CISA.
Security community reactions: GitGuardian, WatchTowr, Infoblox, and Rubrik
Security professionals expressed alarm about the scope of the exposure and the potential for misuse. Ben Harris, founder of WatchTowr, described the kind of exposure that occurred for CISA as "an unfortunately painful, but common and repeated, if not relentless, way that we see organizations inadvertently leak very sensitive credentials to the wider web." Harris declined to speculate on attacker capabilities but said it would be "terrifying" if a contractor had been transferring information from work to home, a theory another researcher floated.
Dave Mitchell, senior director of threat intelligence at Infoblox, emphasized controls and audits across repositories, calling GitHub misconfigurations "a recurring nightmare" that can turn a single accidental upload into "a major incident." Travis Rosiek, public sector chief technology officer at Rubrik, noted the timing of the discovery aligned with the government shutdown that had only recently resolved for DHS and argued the event highlighted a need to prioritize resilience, citing "a persistent shortage of cybersecurity talent, combined with funding lapses, high workforce turnover, and an increasingly complex threat landscape" as contributors to a "perfect storm."
Some researchers stressed mitigating context: Valadon said CISA acted swiftly to remove the repository after he alerted the agency, and Harris cautioned that human error remains a daily reality across organizations, including cybersecurity firms.
What this means for technologists, policymakers, and contractors
- Technologists and security teams: The incident underscores the need for repository audits and automated controls to detect hardcoded keys and misconfigurations, echoing Infoblox’s warning that "all it takes is one accidental upload or misconfiguration."
- Policymakers and congressional oversight: Lawmakers who requested briefings will press CISA for forensic detail, remediation steps, and an explanation of whether personnel and budget constraints linked to the agency’s internal posture played a role.
- Contractors and vendor managers: The reported involvement of a contractor and a Nightwing referral to CISA highlights scrutiny over contractor practices, data handling, and internal controls when contractors maintain repositories containing sensitive credentials.
This episode leaves several concrete threads in motion: CISA's ongoing investigation, the classified and unclassified briefings congressional Democrats have requested, and scrutiny of contractor practices. The agency currently maintains "no indication that any sensitive data was compromised," but the discovery of privileged credentials tied to AWS GovCloud and internal CISA systems — and the involvement of a contractor — will shape the answers lawmakers and security professionals now demand.




