A Nightwing contractor for CISA kept a public GitHub repo named “Private‑CISA” that listed dozens of AWS GovCloud keys, plaintext passwords and internal build scripts. Researchers from GitGuardian flagged the repo after the owner ignored alerts, exposing admin credentials to three GovCloud accounts and a CSV of usernames for internal systems. The leak represents one of the most severe government credential exposures on record.

Security analyst Philippe Caturegli tested the keys and confirmed they still authenticated, giving an attacker full access to CISA’s “Landing Zone DevSecOps” environment and its Artifactory package store. Git commit logs show the administrator deliberately disabled GitHub’s secret‑detection feature and stored passwords in clear‑text CSV files, a practice that would enable lateral movement and persistent backdoors across any software builds.

CISA acknowledged the breach, saying no evidence yet shows data was misused and promising tighter safeguards. The GitHub account, created in 2018, was taken down after notification, yet the exposed AWS keys remained valid for another 48 hours. This incident underscores how a single contractor’s sloppy workflow can jeopardize critical federal cloud assets, prompting immediate credential rotation across the agency.