A long-time CISA contractor left active government agency secrets so blatantly exposed, researchers initially thought it was a hoax. 

GitGuardian researcher Guillaume Valadon discovered a public GitHub repository named “Private-CISA” on May 14. It contained 844 MB of plain-text passwords, AWS tokens, and Entra ID SAML certificates.

The “as bad as you can get” GitHub repo was created by a contractor from cybersecurity and technology services firm Nightwing in November 2025. 

Virginia-based Nightwing describes itself as “privileged to partner with top intelligence and security agencies on their most consequential missions.” It also supports US Cyber Command the Missile Defence Agency.

Valadon said GitGuardian had already tried to contact the account holder seven times in the last two months about detected exposed secrets. 

Valadon, who spent 10 years working in cybersecurity for the French government and researches these breaches daily, told The Stack: “At first, I really thought it was fake and a hoax, because everything was so bad.”

The repo contained keys to the cybersecurity agency’s GovCloud AWS environment, alongside a wealth of documentation on its cloud infrastructure, software deployment and tooling, and internal operations. 

CISA only took action after the researchers reached out to individual contacts at the agency and disclosed the incident to security reporter Brian Krebs to forward to his contacts in the federal government. 

The CEO of security consultancy Seralys, Philippe Caturegli, told The Stack he was able to gain access to three CISA GovCloud environments using the exposed credentials and confirmed full admin access to S3 buckets, EC2 and secrets manager – to reveal even more keys – with “minimal recon”.

When approached by The Stack for comment, a Nightwing spokesperson said: “As you are asking about a CISA contractor, I need to refer you to them for official comment.”

A CISA spokesperson said: “The Cybersecurity and Infrastructure Security Agency (CISA) is aware of the reported exposure and is continuing to investigate the situation. Currently, there is no indication that any sensitive data was compromised as a result of this incident.”

They added: “While we hold our team members to the highest standards of integrity and operational awareness, we are working to ensure additional safeguards are implemented to prevent future occurrences.” 

CISA secrets breach: Painfully obvious?

“My daily job at GitGuardian is to look at these leaks and these hard-coded secrets, but everything that was in there was bad,” Valadon told The Stack adding the sheer scale and blatancy of the breach was what stood out to him the most. 

“We had backups. We had personal documents, travel documents for the person doing the leak. (...) We had perfectly stored hard-coded secrets in file names, important AWS keys, AWS passwords.” 

The directories were labeled in plain text: “Backup-April-2026” and “ENTRA ID - SAML Certificates/”. The files, “Important AWS Tokens.txt” and “external-secret-repo-creds.yaml,” were similarly obvious. Valadon said their contents of AWS secrets and GitHub tokens was astonishing. 

“I knew that he would never answer if I reached out to him directly,” Valadon said of the email address connected to the public repo, noting the prior emails from the GitGuardian platform.

After his responsible disclosure to CISA was met with an automated response, Valadon reached out to people in GitGuardian’s network and cyber “whistleblower” Brian Krebs

Within an hour of getting through to a CISA employee, the GitHub repo had been removed and 48 hours after the discovery the AWS keys had been revoked, Caturegli said. 

Exposed secrets and lateral movements 

Caturegli, who goes by chief hacking officer at Seralys, told The Stack he investigated whether the AWS credentials in the repo were still valid while waiting for CISA’s response.

They managed to access multiple AWS cloud environments and secret managers. “We refrained from exploiting anything beyond what was in the public repo but when we’ve established how bad it could be for the CISA we’ve escalated the issue via a direct contact.”

Caturegli also said that it appeared that the GitHub account holder had bypassed GitHub’s security recommendations and submitted over 200 commits in six months. “It looks like he used it as a scratchpad or means to sync files between two computers. Not realizing that the repo was public maybe.” 

Valadon said the worst case scenario if the keys have got into the hands of threat actors would be persistent access to CISA’s environment. “Threat actors, North Korea, Russia, insert any other groups, they will likely do persistence.” 

The French researcher also highlighted this as an industry problem with contractors who are paid lower wages and encouraged to work fast: “By going fast, you don't apply rules. I mean, good rules when it comes to security or IT hygiene.

“At the end of the day, you hardcode the secrets and they stay, I would say, alive forever.”

The incident comes after certain major critical national infrastructure (CNI) providers in the financial services sector stopped sharing certain cybersecurity information with federal regulators in the wake of an extensive breach of the Office of the Comptroller of the Currency in 2025.

Other government agencies have also seen serious incidents.

MITRE (an organisation set up to “advance national security in new ways”) was breached via a zero day in its Ivanti appliances in 2024, with private network NERVE, which hosts a “virtual development environment for all military branches and their respective weapons systems” compromised.

Multiple federal agencies were breached meanwhile after hackers gained access to sensitive Microsoft systems in 2023.

The link has been copied!