The CISA GitHub data leak 2026 is one of the most damaging government cybersecurity incidents in recent history — made worse by who it happened to. A contractor working for the Cybersecurity and Infrastructure Security Agency maintained a public GitHub repository named “Private-CISA” that exposed administrative credentials to three Amazon AWS GovCloud servers, plaintext usernames and passwords for dozens of internal CISA systems, Kubernetes configuration files, and access tokens — for approximately six months, from November 2025 until this past weekend. The contractor disabled GitHub’s built-in secrets detection to make it possible. A security researcher called it “the worst leak that I’ve witnessed in my career.” CISA says there is no indication sensitive data was compromised.
The Repository: “Private-CISA” on a Public GitHub Account
The repository at the center of the CISA GitHub data leak 2026 was named “Private-CISA” and was maintained by a contractor employed by Nightwing, a government contractor based in Dulles, Virginia. Nightwing declined to comment when contacted, directing inquiries to CISA.
The repository was created on November 13, 2025 according to its commit logs. The contractor’s GitHub account itself was created in September 2018. Security consultant Philippe Caturegli of Seralys said he suspects the contractor was using the GitHub repository to synchronize files between a work laptop and a home computer — essentially using a public code repository as a personal file transfer mechanism.
“What I suspect happened is [the CISA contractor] was using this GitHub to synchronize files between a work laptop and a home computer, because he has regularly committed to this repo since November 2025,” Caturegli told Krebs on Security. “This would be an embarrassing leak for any company, but it’s even more so in this case because it’s CISA.”
The GitHub account that exposed the CISA secrets exhibits a pattern consistent with an individual operator using the repository as a working scratchpad or synchronization mechanism rather than a curated project repository. The use of both a CISA-associated email address and a personal email address suggests the repository may have been used across differently configured environments.
What Was in the Repository: The Full Scope of the Exposure
The contents of the Private-CISA repository represent a catalog of the most sensitive categories of government cloud infrastructure credentials.
One of the exposed files, titled “importantAWStokens,” included the administrative credentials to three Amazon AWS GovCloud servers. Another file — “AWS-Workspace-Firefox-Passwords.csv” — listed plaintext usernames and passwords for dozens of internal CISA systems. Other exposed files included “kube-config.txt” (Kubernetes cluster configuration), “AWS-Workspace-Bookmarks-April-6-2026.html,” and other internal configuration artifacts. One of the internal systems accessible through the exposed credentials was identified as “LZ-DSO” — apparently short for “Landing Zone DevSecOps” — CISA’s secure code development environment.
Caturegli said the archive also included plain text credentials to CISA’s internal “artifactory” — essentially a repository of all the code packages they are using to build software. He described this as a particularly serious exposure. “That would be a prime place to move laterally. Backdoor in some software packages, and every time they build something new they deploy your backdoor left and right,” he said. The supply chain attack vector this represents is precisely the category of threat that CISA exists to prevent and defend against.
GitHub’s Secrets Detection Was Deliberately Disabled
The CISA GitHub data leak 2026 was not simply the result of a careless upload. The contractor actively worked around GitHub’s built-in protections.
Valadon said the commit logs in the offending GitHub account show that the CISA administrator disabled the default setting in GitHub that blocks users from publishing SSH keys or other secrets in public code repositories. “Passwords stored in plain text in a csv, backups in git, explicit commands to disable GitHub secrets detection feature,” Valadon wrote. “I honestly believed that it was all fake before analyzing the content deeper. This is indeed the worst leak that I’ve witnessed in my career. It is obviously an individual’s mistake, but I believe that it might reveal internal practices.”
The deliberate disabling of GitHub’s protections means this was not a case of the default security configuration failing. Someone who understood that GitHub would have blocked the upload of sensitive credentials made a conscious decision to turn that protection off. Whether that decision reflects individual poor judgment, inadequate training, or a broader cultural failure at the CISA contracting level is the question the investigation will need to answer.
The AWS Keys Remained Valid for 48 Hours After Discovery
One of the most alarming details in the CISA GitHub data leak 2026 story is what happened after the exposure was reported.
The GitHub account was taken offline shortly after both KrebsOnSecurity and Seralys notified CISA about the exposure. But Caturegli said the exposed AWS keys inexplicably continued to remain valid for another 48 hours after the repository was taken down.
That 48-hour window between repository removal and key revocation is a serious procedural failure. Any sophisticated adversary who had already downloaded the credentials from the public repository — and there is no way to determine how many people had — would have had two additional days to authenticate to CISA’s AWS GovCloud infrastructure after the public exposure was closed. The question of whether anyone did so during that window is precisely what CISA’s investigation needs to determine.
Caturegli Validated the AWS Keys at High Privilege Level
The credentials exposed in the Private-CISA repository were not test credentials or read-only tokens. They provided high-level administrative access.
Caturegli said he validated that the exposed credentials could authenticate to three AWS GovCloud accounts at a high privilege level. He tested the AWS keys only to determine whether they were still valid and to assess the scope of the exposure, not to access any data. He said the passwords on many of the credentials followed a predictable pattern — each platform’s name followed by the current year.
Such practices would constitute a serious security threat for any organization even if those credentials were never exposed externally, Caturegli noted. Threat actors routinely use key credentials exposed on internal networks to expand their access after establishing initial access to a targeted system.
CISA’s Response: “No Indication of Compromise”
CISA issued a brief statement in response to questions from Krebs on Security.
“Currently, there is no indication that any sensitive data was compromised as a result of this incident,” the CISA spokesperson wrote. “While we hold our team members to the highest standards of integrity and operational awareness, we are working to ensure additional safeguards are implemented to prevent future occurrences.”
The phrase “no indication of compromise” is standard incident response language and is technically accurate — it does not mean compromise did not occur, only that investigators have not yet found evidence it did. Given that the keys remained valid for 48 hours after the repository was removed, and given that the repository was publicly accessible for approximately six months, the investigation’s conclusion will carry significantly more weight than the initial statement.
The Broader Context: CISA Under Pressure
The CISA GitHub data leak 2026 arrives at a moment when the agency is already operating under significant institutional strain. CISA has faced funding cut proposals, leadership instability with acting directors who have not been confirmed by the Senate, and a period of organizational uncertainty following staffing reductions. The contractor responsible for the exposure worked for Nightwing, a firm that provides technology services to the federal government.
CISA was created in 2018 and serves as the nation’s primary civilian cybersecurity agency — responsible for protecting federal networks, critical infrastructure, and providing guidance to the private sector on cybersecurity best practices. It is, in the most direct possible sense, the agency whose primary mission is preventing exactly the category of exposure that one of its own contractors created.
Broader Implications: What the CISA Leak Means for Government Cybersecurity
The CISA GitHub data leak 2026 is not primarily a story about one contractor’s poor judgment. It is a story about the systemic conditions that made that poor judgment consequential. The contractor disabled security protections. The credentials were not rotated. The keys remained valid after discovery. The repository sat publicly accessible for months.
Each of those failures represents a procedural or technical control that should have caught the problem before it became a six-month exposure. The artifactory backdoor attack vector that Caturegli described — the ability to inject malicious code into CISA’s software build pipeline and have that code automatically deployed into production systems — is precisely the kind of supply chain compromise that CISA has spent years warning the private sector about. For more on the biggest stories in cybersecurity and technology, visit The Tech Marketer.
Latest Updates
The CISA GitHub data leak 2026 investigation is ongoing. Here is where to follow the full story:
- Krebs on Security has the full investigative report on the CISA GitHub data leak, including the complete file list from the Private-CISA repository, Philippe Caturegli’s AWS key validation findings, Guillaume Valadon’s GitGuardian disclosure, the Nightwing contractor connection, and CISA’s official statement. Read more at Krebs on Security
- Gizmodo has the full analysis of the CISA GitHub data leak 2026, including the irony of America’s top cybersecurity agency exposing its own credentials, the six-month exposure timeline, and the broader context of CISA’s institutional difficulties. Read more at Gizmodo
- Alternet has coverage of the political context behind CISA’s cybersecurity failures, including the ongoing challenges facing the agency and what the GitHub data leak means for the Trump administration’s cybersecurity posture. Read more at Alternet
FAQ: CISA GitHub Data Leak 2026
1. What was exposed in the CISA GitHub data leak? A public GitHub repository named “Private-CISA,” maintained by a Nightwing contractor working for CISA, exposed administrative credentials to three AWS GovCloud accounts, plaintext usernames and passwords for dozens of internal CISA systems in a CSV file, Kubernetes configuration files, access tokens, and credentials to CISA’s internal software build repository (artifactory). The contractor had deliberately disabled GitHub’s built-in secrets detection.
2. How long was the CISA GitHub data leak active? The Private-CISA repository was created on November 13, 2025 and was taken offline over the weekend of May 17-18, 2026 — a period of approximately six months. Additionally, the exposed AWS keys remained valid for another 48 hours after the repository was removed, extending the potential window of unauthorized access.
3. Who discovered and reported the CISA GitHub data leak? Guillaume Valadon, a researcher at GitGuardian — a company that continuously scans public code repositories for exposed secrets — discovered the repository and alerted KrebsOnSecurity on May 15, 2026 after the repository owner did not respond to GitGuardian’s automated notifications. Valadon called it “the worst leak that I’ve witnessed in my career.”
4. Were the exposed CISA AWS credentials actually working? Yes. Security consultant Philippe Caturegli of Seralys independently validated that the exposed credentials could authenticate to three AWS GovCloud accounts at a high privilege level. He also confirmed that the artifactory credentials were valid — meaning an attacker could potentially have injected malicious code into CISA’s software build pipeline.
5. What did CISA say about the GitHub data leak? CISA stated: “Currently, there is no indication that any sensitive data was compromised as a result of this incident. While we hold our team members to the highest standards of integrity and operational awareness, we are working to ensure additional safeguards are implemented to prevent future occurrences.” CISA has not answered questions about the duration of the exposure or why the AWS keys remained valid for 48 hours after the repository was removed.
