Safety researcher Brian Krebs brings us the information that America’s Cybersecurity & Infrastructure Company (CISA) has had a big retailer of plaintext passwords, SSH non-public keys, tokens, and “different delicate CISA property” uncovered in a public GitHub repo since not less than November 2025.
The now-offline public repo—named, considerably aspirationally, “Non-public-CISA”—was delivered to Krebs’ consideration by GitGuardian’s Guillaume Valadon, who was alerted to the repo’s presence by GitGuardian’s public code scans. Krebs says that Valadon approached him after receiving no responses from the Non-public-CISA repo’s proprietor.
In an e-mail to Krebs, Valadon claimed that the repo’s commit logs present that GitHub’s default protections in opposition to committing secrets and techniques—protections designed to guard unwitting or unskilled builders in opposition to precisely this sort of stupidness—had been disabled by the repo’s administrator.
Testing by Seralys founder Philippe Caturegli confirmed that this was not a joke or hoax and that he was in a position to make use of the credentials within the Non-public-CISA repo to achieve entry to a number of Amazon Internet Companies GovCloud accounts “at a excessive privilege degree.”
Krebs notes that the repo gave the impression to be managed by Virginia-based Nightwing, a CISA contractor. Nightwing has thus far not commented publicly, as an alternative referring questions again to CISA.
This isn’t the primary time CISA has screwed up—in reality, it’s not even the primary time this 12 months. In January, polygraph-failing performing CISA Director Madhu Gottumukkala uploaded delicate authorities paperwork to ChatGPT after demanding and receiving an exemption to the company coverage that prohibited ChatGPT’s use by CISA personnel. Gottumukkala was faraway from his position in February.
