A Nightwing government contractor working for the Cybersecurity and Infrastructure Security Agency maintained a public GitHub repository named “Private-CISA” that exposed administrative credentials to three Amazon AWS GovCloud servers, dozens of plaintext passwords for internal CISA systems, and files detailing how the agency builds, tests and deploys its own software.
Security firm GitGuardian’s Guillaume Valadon flagged the repository to KrebsOnSecurity on May 15. Valadon said the contractor had actively disabled GitHub’s default secret-detection feature, the control that blocks users from publishing SSH keys or sensitive data, before committing the credentials. “This is indeed the worst leak that I’ve witnessed in my career,” Valadon wrote.
Philippe Caturegli of Seralys validated the exposed keys against live AWS GovCloud accounts and confirmed they authenticated at high privilege level. A second file, “AWS-Workspace-Firefox-Passwords.csv,” listed plaintext credentials for dozens of internal systems, including CISA’s Landing Zone DevSecOps environment. Many passwords followed the pattern of platform name plus current year. Caturegli assessed the exposure as consistent with a contractor syncing files between a work laptop and a home computer since November 13, 2025.
The worst-case access runs through CISA’s artifactory — the agency’s internal code-package repository used in every software build. Caturegli said it’s a “prime place to move laterally”: backdoor the packages, and every build the agency runs deploys the malware.
The “Private-CISA” repository came down shortly after KrebsOnSecurity and Seralys notified the agency. Inexplicably, the exposed AWS keys stayed valid for another 48 hours. CISA says it’s investigating and found “no indication” of compromise; no remediation deadline or disclosure timeline has been set. Nightwing declined to comment.
James Okafor