CISA Contractor's GitHub Repository Exposed Sensitive Agency Credentials
Similar Articles
CISA Lacks Access to Anthropic's Security AI Model as Other Agencies Use It for Testing
Security Firms Checkmarx and Bitwarden Affected by Supply Chain Attack
ICE Acknowledges Use of Spyware for Counterterrorism and Drug Investigations
AI Firms Brief Congress on Advanced Cybersecurity Models and Risks
Former IT Workers Deleted Federal Database After Firing, Now Face Prison
A public GitHub repository managed by a CISA contractor exposed plaintext passwords, private keys, and other sensitive assets, some of which provided access to government cloud accounts. The repository had been public since at least November 2023, and GitHub's default protections against committing secrets had been disabled. The contractor, Nightwing, has not commented and has referred questions to CISA.
Facts First
- A public GitHub repository exposed plaintext passwords, SSH keys, and tokens belonging to the Cybersecurity & Infrastructure Security Agency (CISA).
- A security researcher gained access to multiple AWS GovCloud accounts using credentials found in the repository.
- The repository had been public since at least November 2023 and its commit logs show default secret protections were disabled.
- The repository appears to be managed by contractor Nightwing, which has not publicly commented.
- The exposure follows a separate January incident where then-acting CISA Director Madhu Gottumukkala uploaded sensitive documents to ChatGPT.
What Happened
Security researcher Brian Krebs reported that a GitHub repository named 'Private-CISA' publicly exposed a large store of plaintext passwords, SSH private keys, tokens, and other sensitive assets belonging to the Cybersecurity & Infrastructure Security Agency (CISA). The repository had been public since at least November 2023. GitGuardian's Guillaume Valadon alerted Krebs to the repository after GitGuardian's public code scans detected it. Valadon stated that the repository's commit logs show GitHub's default protections against committing secrets had been disabled by the repository's administrator. Seralys founder Philippe Caturegli tested credentials from the repository and was able to gain access to multiple Amazon Web Services (AWS) GovCloud accounts at a high privilege level. Krebs noted the repository appeared to be managed by Nightwing, a contractor based in Virginia. Nightwing has not commented publicly and has referred questions to CISA.
Why this Matters to You
This exposure of government cybersecurity credentials could potentially weaken the security of critical infrastructure systems that many people rely on daily. If malicious actors accessed these credentials, they might have been able to compromise government cloud systems, which could lead to disruptions or data breaches affecting services you use. The incident highlights ongoing vulnerabilities in how sensitive government data is handled by contractors, which may lead to calls for stricter oversight and could affect how your tax dollars are spent on cybersecurity contracts.
What's Next
CISA is likely to investigate the exposure and its scope, and may take steps to secure the compromised accounts and rotate all exposed credentials. The agency may also review its contracts and security protocols with third-party vendors like Nightwing to prevent similar incidents. Public and congressional scrutiny of CISA's security practices is likely to increase, especially following the separate incident involving its former acting director and ChatGPT.