Secret CISA credentials exposed in public GitHub repository

Security researcher Brian Krebs found that the Cybersecurity & Infrastructure Security Agency had a large store of plaintext passwords, SSH private keys, tokens, and "other sensitive CISA assets" exposed in a public GitHub repository named "Private-CISA" since at least November 2025.

The repository is now offline. GitGuardian's Guillaume Valadon, alerted by the company's public code scans, brought the repo to Krebs' attention after receiving no responses from its owner. Valadon told Krebs that the repo's commit logs show GitHub's default protections against committing secrets had been disabled by the repository administrator.

Testing by Seralys founder Philippe Caturegli showed the credentials in Private-CISA could be used to access multiple Amazon Web Services GovCloud accounts "at a high privilege level." The repo appeared to be managed by Virginia-based Nightwing, a CISA contractor, which has so far referred questions back to CISA.

cisa, github, private-cisa, plaintext passwords, ssh keys, tokens, aws govcloud, gitguardian, brian krebs, nightwing