CISA — the Cybersecurity and Infrastructure Security Agency — exists for one reason: to tell everyone else how to secure their systems. They publish the guidelines. They run the advisories. They are the federal government’s answer to the question who watches the network?
On November 13, 2025, a contractor working for Nightwing — a government services firm based in Dulles, Virginia — created a public GitHub repository called “Private-CISA.”
It was not private.
Inside: 844 megabytes of CISA’s internal infrastructure. AWS GovCloud administrative credentials for three accounts. Plaintext usernames and passwords for dozens of internal systems. Entra ID SAML signing certificates. SSH keys. Kubernetes manifests. Terraform infrastructure code. CI/CD build logs. ArgoCD deployment configurations. Internal documentation. OneNote exports. The blueprints for how CISA builds, tests, and deploys its own software.
One file was named “importantAWStokens.”
Another was named “AWS-Workspace-Firefox-Passwords.csv.” It contained exactly what the name suggests — plaintext passwords exported from a browser, stored in a spreadsheet, committed to a public repository. The passwords followed patterns like the platform name followed by the current year. “AWS2025.”
The commit logs tell the rest of the story. The contractor explicitly disabled GitHub’s default secret-scanning push protection — the feature designed to stop exactly this from happening. Disabled it manually. Then pushed.
The repository appears to have been used as a personal synchronization tool between work and home computers. Government cloud credentials, in plaintext, in a public repo, with the safety off, because someone wanted to work from home.
It sat there for 183 days.
GitGuardian found it on May 14, 2026. Their researcher Guillaume Valadon initially suspected a hoax — the filenames were too on-the-nose, the negligence too cartoonish. “Passwords stored in plain text in a csv, backups in git, explicit commands to disable GitHub secrets detection feature,” he wrote. Personal documents in the repository confirmed it was real. GitGuardian’s Good Samaritan program sent nine emails to the contractor. No response. They contacted Brian Krebs, who contacted CISA. The repository came down within 26 hours of the direct notification.
Then the part that should keep people awake: the exposed AWS keys remained valid for another 48 hours after takedown. Anyone who had copied them during those six months still had working credentials to CISA’s cloud infrastructure for two more days after the agency knew they were compromised.
CISA’s official response: “Currently, there is no indication that any sensitive data was compromised as a result of this incident.”
Currently.
Here’s where the melody gets dark.
CISA has lost nearly one-third of its workforce since early 2025. Staffing dropped from approximately 3,400 to roughly 2,400. About 600 took buyout offers. The White House proposed cutting another 1,083 positions. The Election Security Program — 14 staff, $39.6 million annual budget — was eliminated entirely. $45 million cut from Cyber Defense and Training. 35 positions and $70 million stripped from the National Risk Management Center.
The agency that tells hospitals how to secure patient records. The agency that tells power utilities how to protect the grid. The agency that publishes the known-exploited-vulnerabilities catalog. The agency that coordinates incident response for critical infrastructure. That agency left its own keys on the counter, with the door open, for six months, while one-third of the people who might have noticed were walking out the building with buyout checks.
Nobody is naming the contractor. Nightwing declined to comment, referring inquiries to CISA. That’s fine. This isn’t about one person being negligent. One person is always going to be negligent — that’s why guardrails exist. Secret scanning exists because humans will push secrets. Code review exists because humans will skip steps. Oversight exists because contractors will use public repos as personal sync tools.
The question is never whether someone will make the mistake. The question is whether anyone is left to catch it.
CISA’s own guidance to federal agencies includes enabling secret scanning, using short-lived credentials, deploying hardware security keys, enforcing repository access controls, and conducting regular credential hygiene audits. Every one of those recommendations was violated by CISA’s own contractor on CISA’s own infrastructure. The agency that writes the checklist failed every item on the checklist.
Philippe Caturegli, the researcher who validated the exposed credentials, confirmed they maintained high-privilege administrative access to AWS GovCloud. These aren’t read-only keys. These are the keys to the building.
A file named “importantAWStokens” sat in a public repository for half a year. The researcher who found it thought it had to be a joke. It wasn’t a joke. It was just what happens when the people whose job is to watch are told to leave, and no one replaces them, and the one contractor still at the desk disables the alarm because it keeps going off while he’s trying to work from home.
That’s not a cybersecurity failure. That’s a staffing decision expressed as a vulnerability.
// NEON BLOOD
Sources: Krebs on Security, GitGuardian, TechCrunch, Cybersecurity Dive, Nextgov
