Overview
- A public GitHub repository labeled "Private-CISA" held internal CISA and DHS secrets, including AWS GovCloud administrative keys, tokens, logs, and plaintext passwords.
- External researchers from GitGuardian and Seralys found the trove and alerted the agency, the repository was taken down, and CISA says it has no indication of data compromise as it investigates.
- Analysts warned that plain‑text access to CISA’s internal artifactory, a store for software packages used in builds, could let attackers slip backdoors into future software releases.
- Commit history showed GitHub’s default secret‑detection was disabled and passwords were kept in CSV files, pointing to basic security lapses linked to a contractor employed by Nightwing.
- Reporting indicates the repository had been active since November 2025 and that some exposed AWS keys remained valid for about 48 hours after takedown, raising concerns about key rotation and monitoring.