A Repository Named 'Private-CISA' That Was Anything But
The name alone tells the story. A government contractor at Nightwing, a Dulles, Virginia-based firm, created a public GitHub repository in November 2025 and called it Private-CISA. For roughly six months, that repository sat accessible to anyone with an internet connection, containing administrative credentials to three Amazon Web Services GovCloud accounts, SSH keys, tokens, plaintext usernames and passwords for dozens of internal CISA systems, and documentation detailing the agency's secure software development infrastructure.
The exposure was discovered in May 2026 not by CISA's own monitoring, but by Guillaume Valadon, a researcher at GitGuardian whose company continuously scans public code repositories for exposed secrets. Valadon's assessment, delivered with the authority of a professional who has reviewed thousands of such incidents, was unambiguous: this was, in his words, "the worst leak that I've witnessed in my career." A second researcher, Philippe Caturegli of the security consultancy Seralys, independently confirmed the severity of what had been left in the open.
How It Happened — and Why It Lasted Six Months
According to Valadon, the contractor was using the repository as a transfer mechanism between work and home devices — a practice he described as less secure than simply emailing sensitive documents to oneself. The workflow itself reflects a broader failure in contractor security hygiene: individuals working with sensitive government systems who lack adequate tooling or policy guidance for moving files outside the office perimeter, and who reach for whatever is familiar and convenient.
The technical failures compounded the human one. The contractor had disabled GitHub's default secret scanning feature, which is designed to detect and block the publication of credentials in public repositories. A file named 'AWS-Workspace-Firefox-Passwords.csv' sat in the repository containing plaintext credentials for dozens of systems. The passwords themselves followed a pattern that any competent attacker would try immediately: the platform's name followed by the current year. CISA's own 'Landing Zone DevSecOps' environment — the secure pipeline through which the agency develops and ships software — was among the systems with credentials exposed.
The 48-Hour Window After Discovery
What happened after Valadon's disclosure is, in some respects, more alarming than the initial exposure. When KrebsOnSecurity published its report on May 18, 2026, the GitHub repository was taken offline — but the AWS GovCloud keys remained valid for another 48 hours. Any actor who had downloaded the credentials before the repository was removed retained live access to CISA's cloud infrastructure for two full days after the agency was aware of the breach.
Incident response frameworks for credential compromise have a single non-negotiable first step: revoke the credentials immediately. The 48-hour gap between repository takedown and key invalidation suggests either that CISA's response procedures did not treat the exposure as an immediate revocation event, or that the agency did not have sufficiently centralised visibility into which keys existed and needed to be rotated. In an environment managing GovCloud accounts — by definition among the most sensitive compute infrastructure in the federal government — neither possibility is acceptable.
CISA's Response and the Credibility Gap
CISA's official statement offered what has become a familiar form of institutional non-answer: "Currently, there is no indication that any sensitive data was compromised as a result of this incident." The framing is technically defensible and substantively hollow. The absence of detected exfiltration is not the same as the absence of exfiltration. Sophisticated actors do not announce themselves, and the six-month window of exposure is more than long enough for quiet, targeted collection.
Congressional reaction was swift. Letters demanding answers arrived from Senator Maggie Hassan and Representatives Bennie Thompson and Delia Ramirez. The political attention reflects a recognition that this is not an ordinary contractor error — CISA is the agency that other agencies look to for guidance on exactly this kind of breach. The credibility cost of being the subject of "the worst leak" a career GitGuardian researcher has encountered is difficult to overstate.
What This Exposes About Contractor Security in Government
The Nightwing incident is not an isolated case. Government agencies routinely rely on contractors who work across multiple clients, carry credentials on personal devices, and operate with security practices calibrated for commercial environments rather than GovCloud requirements. The contractor supply chain is one of the most consistently exploited vectors in federal breaches, from the SolarWinds compromise through to this incident, and the structural incentives that produce the problem — lowest-cost bidding, insufficient security requirements in contracts, inadequate monitoring of contractor behaviour — have not meaningfully changed.
What has changed is the blast radius. GovCloud credentials give access not to a single application but to an entire compute environment. The Artifactory repository exposed in the breach means that even the software supply chain CISA uses to build its own defences was potentially within reach. For an agency whose mandate includes protecting other agencies from exactly this class of threat, the gap between posture and practice is stark.
Lessons for Enterprise and Public Sector Security Teams
The CISA breach offers a set of controls failures that enterprise security teams should audit against immediately. First: credential hygiene in contractor access — are third parties required to use managed devices, approved transfer mechanisms, and credential vaulting? Second: secret scanning — is it enabled, enforced, and monitored across every repository the organisation maintains, including those under contractor control? Third: credential revocation speed — what is the measured time from detection to revocation, and is that measured in minutes or hours, not days?
We see this incident as a stress test that most organisations would also fail. The controls that would have prevented the Nightwing breach are not exotic — they are standard practice recommendations that have existed for years. The fact that they were absent at the agency responsible for federal cybersecurity guidance is a reminder that the distance between policy and implementation is where breaches live. Closing that gap requires operational discipline, not just better frameworks.
