The U.S. Cybersecurity and Infrastructure Security Agency (CISA) exposed plaintext passwords, SSH private keys, tokens, and other sensitive credentials in a public GitHub repository named "Private-CISA." The repository was publicly accessible for at least six months, from November 2025 until it was taken offline around May 17 to May 19, 2026 [1, 2, 3].
The exposed credentials were discovered by GitGuardian researcher Guillaume Valadon, who alerted security reporter Brian Krebs after repeated attempts to contact the repository owner failed [2, 3]. Testing by Seralys founder Philippe Caturegli confirmed the credentials were valid and granted high-level access to multiple Amazon Web Services GovCloud accounts [2].
The repository was managed by Nightwing, a contractor for CISA based in Virginia. Nightwing referred inquiries to CISA and has not publicly commented on the matter [2]. CISA acknowledged responsibility for the security of its network, including contractors who work for the agency [3].
CISA released a statement saying, "Currently, there is no indication that any sensitive data was compromised as a result of this incident[…] While we hold our team members to the highest standards of integrity and operational awareness, we are working to ensure additional safeguards are implemented to prevent future occurrences" [1].
The agency has faced leadership instability since Director Jen Easterly stepped down on January 20, 2026. She left without a permanent successor, and earlier in 2026, acting Director Madhu Gottumukkala was removed after uploading sensitive government documents to ChatGPT, violating policy [1, 2, 3].
Security reporter Brian Krebs remarked, "The cyber battlespace evolves — and it is evolving, and unfortunately, faster than a lot of people want to talk about. But battlespace it is" [1].
The exposed repository was removed from public access over the past weekend, from May 17 to 19, 2026, as investigations continue [1, 2, 3].
