Critical Security Breach at CISA: Plaintext Passwords Exposed on GitHub
In a troubling revelation, security researcher Brian Krebs has reported that America’s Cybersecurity & Infrastructure Agency (CISA) inadvertently exposed a stash of sensitive data, including plaintext passwords, SSH private keys, and tokens, in a public GitHub repository named “Private-CISA.” This alarming discovery, which has been accessible since at least November 2025, raises significant concerns about cybersecurity practices within one of the leading governmental agencies charged with safeguarding U.S. infrastructure.
The Discovery of the Repo
GitGuardian’s Guillaume Valadon first brought the repository to Krebs’ attention after automated public code scans detected the leaks. Despite multiple attempts to alert the repo’s owner, Valadon received no response, prompting further investigation. According to Valadon, the commit logs indicate that GitHub’s built-in protections against committing sensitive data were turned off, allowing for this grave oversight.
Consequences of the Exposure
The implications of this breach were verified by Philippe Caturegli, founder of Seralys, who successfully used the exposed credentials to access several Amazon Web Services (AWS) GovCloud accounts at high privilege levels. Such unauthorized access could have severe ramifications, risking national security and compromising sensitive governmental operations.
Management and Accountability
Krebs points out that the repository appeared to be managed by Nightwing, a contractor for CISA based in Virginia. However, Nightwing has yet to issue a public statement regarding the incident, instead directing inquiries back to CISA, who also remain silent on the matter.
CISA’s Track Record on Cybersecurity
This incident is not the first time CISA has faced scrutiny over cybersecurity missteps. Earlier this year, acting CISA Director Madhu Gottumukkala made headlines when he uploaded sensitive government documents to ChatGPT, even after reportedly seeking an exemption to the agency’s strict policy against using the AI tool. Gottumukkala was subsequently removed from his position in February, highlighting ongoing challenges within the agency concerning digital safety protocols.
What This Means for Cybersecurity
As one of the federal agencies tasked with overseeing cybersecurity, CISA’s failures potentially signal a worrying trend that could embolden malicious actors. The exposure of critical credentials in a public repository raises questions about the effectiveness of existing safeguards and the overall culture of cybersecurity awareness within the agency.
This disturbing episode serves as a reminder of the vulnerabilities inherent in the rapidly evolving digital landscape. Organizations—public and private alike—must prioritize secure coding practices, ensuring that default protections are not disabled and that sensitive data is adequately protected from prying eyes. As cybersecurity threats continue to grow, it’s crucial for all to revisit and reinforce their security protocols.
To read more about this incident, visit Here.
Image Credit: arstechnica.com
