A public GitHub repository named “Private-CISA” contained plaintext passwords, SSH private keys, tokens, and other sensitive CISA assets exposed since at least November 2025. The repository was identified through public code scanning, and the repository owner did not respond to inquiries. Claims indicated that GitHub’s default protections against committing secrets were disabled by the repository administrator. Testing confirmed the credentials were real and enabled access to multiple Amazon Web Services GovCloud accounts at a high privilege level. The repository appeared to be managed by a Virginia-based CISA contractor, which did not comment publicly and redirected questions to CISA. The incident follows another CISA-related security failure involving sensitive documents shared with ChatGPT after an exemption.
"A public GitHub repo-named, somewhat aspirationally, “Private-CISA”-was brought to Krebs' attention by GitGuardian's Guillaume Valadon, who was alerted to the repo's presence by GitGuardian's public code scans. Krebs says that Valadon approached him after receiving no responses from the Private-CISA repo's owner."
"In an email to Krebs, Valadon claimed that the repo's commit logs show that GitHub's default protections against committing secrets-protections designed to protect unwitting or unskilled developers against exactly this kind of stupidness-had been disabled by the repo's administrator."
"Testing by Seralys founder Philippe Caturegli showed that this was not a joke or hoax and that he was able to use the credentials in the Private-CISA repo to gain access to multiple Amazon Web Services GovCloud accounts “at a high privilege level.”"
"Krebs notes that the repo appeared to be managed by Virginia-based Nightwing, a CISA contractor. Nightwing has so far not commented publicly, instead referring questions back to CISA. This isn't the first time CISA has screwed up-in fact, it's not even the first time this year."
Read at Ars Technica
Unable to calculate read time
Collection
[
|
...
]