May 20, 2026 The Cybersecurity and Infrastructure Security Agency, the arm of the U.S. government tasked with protecting critical infrastructure from cyber threats, has spent months unknowingly exposing its own secrets online. According to a report from KrebsOnSecurity, passwords, access keys, and authentication tokens tied to internal systems were left publicly accessible in plain text inside a GitHub repository.
The repository, reportedly named “Private-CISA,” contained highly sensitive credentials stored in a simple .CSV file format, including usernames and passwords for internal systems and administrative access tokens for cloud infrastructure. Among the exposed materials was a file titled “importantAWStokens,” which included credentials for three Amazon Web Services GovCloud servers – systems specifically designed for handling sensitive government workloads.
Another file, “AWS-Workspace-Firefox-Passwords.csv,” listed dozens of plaintext login credentials tied to internal CISA environments, including one referred to as “LZ-DSO,” believed to be the agency’s secure DevSecOps development environment. In practical terms, this means access to systems involved in building and securing government software may have been left exposed without encryption or protection.
The issue appears to have originated from a workflow breakdown rather than a sophisticated breach. According to the report, an individual working for Nightwing may have used GitHub as a way to transfer files between a work device and a personal device, essentially treating a public repository like a private file-sharing tool. That decision, combined with the lack of safeguards, resulted in sensitive data being stored in an openly accessible location.
The repository was created in November of last year, suggesting the exposure may have lasted for up to six months before being discovered and addressed over the weekend. However, the exact duration remains unclear, as it depends on when specific files were uploaded.
CISA acknowledged the incident in a statement, saying there is currently no indication that sensitive data was compromised. The agency emphasized that it is implementing additional safeguards to prevent similar occurrences in the future, while also noting that it holds its personnel to high standards of operational awareness.
The discovery itself came through GitGuardian, which scans public repositories for exposed secrets. Its co-founder Guillaume Valadon described the incident as “the worst leak” he has seen in his career, an unusually strong assessment given the frequency of credential exposure incidents across the industry.
The situation is particularly striking because CISA’s core mandate is cybersecurity defense. The agency is responsible for identifying vulnerabilities, coordinating responses to cyber threats and guiding both public and private sector organizations on best practices. Yet in this case, the vulnerability stemmed from basic credential management failures – plain text storage, lack of access control and misuse of public infrastructure.
The exposure also highlights a broader issue in modern cloud and developer workflows. Tools like GitHub are designed for collaboration and code sharing, but without strict controls, they can easily become vectors for accidental data leaks. Secrets stored in repositories, especially without encryption or environment isolation, can be indexed, scraped and exploited within minutes.
Even though there is no confirmed misuse of the exposed data, the nature of the credentials involved raises the stakes. Administrative tokens, internal system logins and cloud access keys are precisely the types of assets attackers seek, as they can provide direct entry into critical systems without needing to exploit software vulnerabilities.
For now, the repository has been secured and the exposed data removed. But the incident shows yet again that even organizations built to defend against threats remain vulnerable to simple operational mistakes.
