Safety researcher Brian Krebs brings us the news that America’s Cybersecurity & Infrastructure Agency (CISA) has had a big retailer of plaintext passwords, SSH personal keys, tokens, and “different delicate CISA belongings” uncovered in a public GitHub repo since no less than November 2025.
The now-offline public repo—named, considerably aspirationally, “Non-public-CISA”—was dropped at Krebs’ consideration by GitGuardian’s Guillaume Valadon, who was alerted to the repo’s presence by GitGuardian’s public code scans. Krebs says that Valadon approached him after receiving no responses from the Non-public-CISA repo’s proprietor.
In an electronic mail to Krebs, Valadon claimed that the repo’s commit logs present that GitHub’s default protections towards committing secrets and techniques—protections designed to guard unwitting or unskilled builders towards precisely this sort of stupidness—had been disabled by the repo’s administrator.
Testing by Seralys founder Philippe Caturegli confirmed that this was not a joke or hoax and that he was ready to make use of the credentials within the Non-public-CISA repo to realize entry to a number of Amazon Net Companies GovCloud accounts “at a excessive privilege degree.”
Krebs notes that the repo gave the impression to be managed by Virginia-based Nightwing, a CISA contractor. Nightwing has to this point not commented publicly, as an alternative referring questions again to CISA.
This isn’t the primary time CISA has screwed up—the truth is, it’s not even the primary time this yr. In January, polygraph-failing appearing CISA Director Madhu Gottumukkala uploaded sensitive government documents to ChatGPT after demanding and receiving an exemption to the company coverage that prohibited ChatGPT’s use by CISA personnel. Gottumukkala was removed from his role in February.
