Our Take
The agency tasked with defending critical infrastructure disabled its own secret-detection tools, then took months to discover the breach—a failure that invites obvious questions about CISA's operational security posture.
Why it matters
CISA sets federal cybersecurity policy and coordinates incident response across the U.S. government. When its own credential hygiene fails this visibly, it undermines the authority and credibility of the guidance it issues to agencies and critical infrastructure operators.
Do this week
Security teams: audit your GitHub organization settings this week to confirm secret scanning and push protection are enabled and cannot be disabled without audit logging.
CISA left credentials exposed for six months
The Cybersecurity and Infrastructure Security Agency had a public GitHub repository containing plaintext passwords, SSH private keys, API tokens, and other sensitive assets exposed since at least November 2025, according to security researcher Brian Krebs reporting via GitGuardian's findings.
The repository, named "Private-CISA," was operated by Nightwing, a Virginia-based CISA contractor. GitGuardian's Guillaume Valadon discovered the repo through routine code scanning and alerted Krebs after receiving no response from the repository's owner. Commit logs showed that GitHub's default protections against committing secrets had been intentionally disabled by the repository administrator.
Philippe Caturegli, founder of Seralys, verified the credentials were genuine and functional. He demonstrated that he could use them to gain high-privilege access to multiple Amazon Web Services GovCloud accounts.
CISA and Nightwing have not issued public statements; Nightwing has deferred questions back to the agency.
This fits a pattern of operational failures at the agency
This is not CISA's first credential incident in 2026. In January, acting CISA Director Madhu Gottumukkala uploaded sensitive government documents to ChatGPT after receiving a personal exemption from the agency's policy prohibiting ChatGPT use by CISA personnel. Gottumukkala was removed from his role in February.
The deliberate disabling of GitHub's secret-detection tools is the more serious failure. This was not an accidental commit by a careless developer; it was a conscious operational choice. The fact that credentials remained exposed for six months before discovery suggests CISA has no routine secrets-scanning process for its own repositories or contractor code.
For an agency responsible for issuing security guidance to federal agencies and critical infrastructure operators, these failures carry reputational cost. Organizations look to CISA for standards and best practices. Visible breaches of basic credential hygiene invite skepticism about the rigor behind the guidance CISA publishes.
Treat default protections as non-negotiable
This incident is a case study in why secret-detection and push-protection defaults matter. GitHub's protections are designed to catch exactly this failure mode: a developer (or in this case, an administrator) who manually disables safeguards or forgets to enable them.
Organizations should assume that secrets will be committed. The question is whether detection and rotation happen in hours or months. Audit your GitHub organization settings to ensure secret scanning and push protection cannot be disabled without explicit approval and audit logging. If you are using self-hosted git, evaluate whether you have equivalent tooling in place. Credentials in public repos are not a matter of if but when; your goal is to catch them before an external party does.