Table of Contents

A Nightwing contractor working for CISA created a public GitHub repository named “Private-CISA” in November 2025, and left it there for six months. The repo contained AWS GovCloud admin keys, a CSV file named AWS-Workspace-Firefox-Passwords.csv with plaintext passwords, and credentials granting access to CISA’s LZ-DSO Landing Zone DevSecOps environment. KrebsOnSecurity1 broke the story on May 18. By May 22, congressional Democrats were demanding briefings, and the agency was still rotating credentials.

What sat on GitHub, and for how long

The contractor had also disabled GitHub’s built-in secret-scanning protections. Guillaume Valadon, a researcher at GitGuardian who discovered the exposed repository, told KrebsOnSecurity1 the leak was “the worst leak that I’ve witnessed in my career.”

The congressional response

Sen. Maggie Hassan (D-NH) sent a letter to CISA acting director Nick Andersen on May 19 demanding answers. Reps. Bennie Thompson (D-MS) and Delia Ramirez (D-IL) sent a separate letter the same day2 requesting a briefing on the lapse, the remediation timeline, and what corrective actions would apply to the contractor.

Thompson and Ramirez did not mince words. In their letter as reported by GovExec3, they wrote that “a substantially reduced workforce, coupled with the administration’s indifference to security, created the conditions that allowed such a significant security lapse to occur” and that “the incident undermines CISA’s credibility.”

All congressional action reported so far comes from Democrats. No Republican-led response has been documented as of May 23.

The staffing context

CISA has lost over a third of its workforce and nearly all senior leaders since the start of the second Trump administration, according to KrebsOnSecurity’s reporting2, due to forced early retirements, buyouts, and resignations. The agency is operating under an acting director. Whether the Nightwing contractor’s lapse would have been caught earlier by a fully staffed internal security review is speculative, but the parallel is hard to ignore: the federal agency responsible for advising critical-infrastructure operators on credential hygiene couldn’t rotate its own keys in under a week.

Why this matters beyond CISA’s perimeter

The structural problem is not the leaked keys themselves, serious as they are. CISA is the agency that will enforce the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), which mandates that covered entities report qualifying incidents to the federal government.

The regime depends on a single precondition: that the companies handing over breach telemetry trust CISA to keep it confidential. A contractor publishing admin credentials to a public GitHub repo for six months does not directly expose CIRCIA reports. But it corrodes the confidence that makes information sharing work, and CIRCIA’s mandatory reporting rules have not yet taken final shape. The CIRCIA notice of proposed rulemaking4 remains in process. Town hall meetings for stakeholder input have been postponed due to the lapse in DHS appropriations, with no rescheduled dates announced.

What compliance and security teams should do now

For operators sharing data with CISA through existing channels, the immediate steps are procedural rather than technical:

  1. Inventory what you have shared. Document every CIRCIA-related communication and incident report held by CISA. Know what exposure would look like if a future breach hit the agency’s systems rather than just its credentials.

  2. Review data-sharing agreements. Check whether your information-sharing agreements with CISA include breach-notification clauses that apply when CISA itself is the breached party. Many were written with the assumption that the risk ran in one direction.

  3. Pressure-test your own contractor hygiene. The mechanism of this leak was mundane: a contractor pushed secrets to a public repo with scanning disabled. If the nation’s cybersecurity agency cannot enforce this baseline on its own supply chain, the same gap exists in most organizations that rely on third-party administrators.

  4. Track the CIRCIA rulemaking. The NPRM timeline is stalled. When the rule finalizes, covered entities will have to report incidents within a defined window. The question of whether CISA can protect those reports is now a live political question, not a theoretical one, and compliance teams should factor it into their risk assessments.

The broader question Congress is being pressed toward is one it has avoided: who audits the federal agency that audits everyone else’s cyber posture. The Nightwing leak does not answer that question, but it makes it harder to defer.

Frequently Asked Questions

Were any CISA secrets still unrotated after the agency was notified?

Yes. TruffleHog creator Dylan Ayrey discovered an RSA private key granting full access to all CISA-IT GitHub repositories still active on May 20 — days after GitGuardian notified CISA. CISA invalidated that key only after KrebsOnSecurity contacted the agency a second time, indicating the initial rotation missed high-value secrets.

Is there evidence that attackers harvested the credentials during the six-month window?

No confirmed exploitation has been reported, but Dylan Ayrey has warned that attackers actively monitor GitHub’s public commit firehose and may already hold the credentials. The repo was created on November 13, 2025, meaning the AWS GovCloud admin keys, plaintext password CSV, and RSA keys were accessible to anyone scraping public repositories for over five months before discovery.

What made this leak worse than typical government credential exposures?

Valadon’s assessment reflects the combination of breadth and duration: a single repo exposed admin-level access to CISA’s AWS GovCloud environment, a DevSecOps landing zone, plaintext browser passwords, and GitHub repository keys — all with built-in secret scanning deliberately disabled. Most credential leaks involve one secret type in one system; this exposed credentials across multiple independent CISA infrastructure layers simultaneously.

Has any Republican lawmaker responded to the CISA leak?

As of May 23, only Democratic lawmakers — Hassan, Thompson, and Ramirez — have sent letters or demanded briefings. No Republican-led response has been documented. The partisan split matters because CIRCIA’s rulemaking and any legislative hearing on CISA’s security posture would require bipartisan support to produce structural changes to the agency’s oversight or funding.

Topics:
cisa credential-leak circia information-sharing cybersecurity-policy incident-reporting github

Sources

  1. CISA Admin Leaked AWS GovCloud Keys on Githubprimaryaccessed 2026-05-23
  2. Lawmakers Demand Answers as CISA Tries to Contain Data Leakprimaryaccessed 2026-05-23
  3. Reported exposure of federal cybersecurity agency login data prompts Hill scrutinyanalysisaccessed 2026-05-23
  4. Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA)vendoraccessed 2026-05-23

Related Articles

Ethics, Policy & Safety

California SB 1119 and AB 2023 Cleared Committee April 21: Companion Chatbots Owe Annual AG-Filed Audits

California companion-chatbot bills advanced in April 2026, mandating annual AG-filed audits, hard usage caps for minors, and per-child civil liability.

 Ethics, Policy & Safety

Citizen Lab Names Three Telcos as Persistent Entry Points for Commercial SS7 Surveillance Vendors

Citizen Lab names 019Mobile, Tango Networks, and Airtel Jersey as persistent entry points for commercial SS7 surveillance vendors, shifting accountability to named carriers.

 Ethics, Policy & Safety

Connecticut SB 5 Passes May 1: AI Provenance, AEDT Disclosures, and Chatbot Guardrails by 2027

Connecticut SB 5 requires provenance for large generative platforms by October 2026, AEDT disclosures for HR tools, and companion-chatbot guardrails for minors by January.

Enjoyed this article?

Stay updated with our latest insights on AI and technology.

More Articles Subscribe via RSS