Safety researcher Brian Krebs brings us the information that America’s Cybersecurity & Infrastructure Company (CISA) has had a big retailer of plaintext passwords, SSH non-public keys, tokens, and “different delicate CISA belongings” uncovered in a public GitHub repo since at the least November 2025.
The now-offline public repo—named, considerably aspirationally, “Personal-CISA”—was delivered to Krebs’ consideration by GitGuardian’s Guillaume Valadon, who was alerted to the repo’s presence by GitGuardian’s public code scans. Krebs says that Valadon approached him after receiving no responses from the Personal-CISA repo’s proprietor.
In an e-mail to Krebs, Valadon claimed that the repo’s commit logs present that GitHub’s default protections towards committing secrets and techniques—protections designed to guard unwitting or unskilled builders towards precisely this sort of stupidness—had been disabled by the repo’s administrator.
Testing by Seralys founder Philippe Caturegli confirmed that this was not a joke or hoax and that he was ready to make use of the credentials within the Personal-CISA repo to achieve entry to a number of Amazon Net Providers GovCloud accounts “at a excessive privilege degree.”
Krebs notes that the repo seemed to be managed by Virginia-based Nightwing, a CISA contractor. Nightwing has to date not commented publicly, as a substitute referring questions again to CISA.
This isn’t the primary time CISA has screwed up—the truth is, it’s not even the primary time this yr. In January, polygraph-failing appearing CISA Director Madhu Gottumukkala uploaded delicate authorities paperwork to ChatGPT after demanding and receiving an exemption to the company coverage that prohibited ChatGPT’s use by CISA personnel. Gottumukkala was faraway from his function in February.
