In stunning display of stupid, secret CISA credentials found in public GitHub repo

A significant lapse in cybersecurity has come to light, revealing that the Cybersecurity & Infrastructure Agency (CISA) of the United States had sensitive information—including plaintext passwords, SSH private keys, and tokens—made publicly accessible on a GitHub repository. This repository, aptly named 'Private-CISA,' had been exposed since at least November 2025. Security researcher Brian Krebs reported that GitGuardian's Guillaume Valadon flagged the repository after conducting routine code scans, which revealed the alarming oversight. Despite attempts to contact the owner of the repository, Valadon received no response, prompting Krebs to investigate further. The commit logs indicated that the repository's default security settings meant to prevent such exposures had been switched off by the administrator. Philippe Caturegli, the founder of Seralys, confirmed the seriousness of the situation by demonstrating that he could utilize the credentials found in the repository to access various Amazon Web Services GovCloud accounts with elevated privileges. The repository was reportedly managed by Nightwing, a contractor for CISA based in Virginia. As of now, Nightwing has not issued any public statements and has directed inquiries back to CISA. This incident marks yet another troubling moment for CISA, which has faced scrutiny before. Earlier this year, the agency's acting director, Madhu Gottumukkala, faced backlash after uploading sensitive documents to ChatGPT, having received an exemption from the policy that bans such practices. Following this incident, Gottumukkala was removed from his position in February. The repeated failures raise serious questions about the agency's commitment to cybersecurity protocols.