Contractor exposed CISA credentials on public GitHub repo

The exposed repository reportedly included enough information for a sophisticated actor to map how CISA builds, tests, and deploys its internal software. Security researchers cited in Krebs's reporting called it "one of the most egregious government data leaks in recent history." Thompson and Ramirez, in their letter, said they agreed with that characterization.

The Democratic lawmakers also connected the incident to CISA's workforce reductions over the past year, arguing that a reduced staff "coupled with the administration's indifference to security, created the conditions that allowed such a significant security lapse to occur." That causal claim is plausible but unproven at this stage; the actual mechanism (contractor personnel with access to a repository that should not have been public) is a configuration control problem. Whether staffing levels at CISA degraded the oversight that would have caught it is exactly the kind of question a briefing could clarify.

Nightwing, the contractor at the center of the incident, referred all questions to CISA. CISA said it does not comment on congressional correspondence but responds to members directly. That leaves the public record thin on specifics: what credentials were rotated, whether any unauthorized access occurred before removal, and what the timeline between publication and discovery actually was.

A third letter, from Sen. Hassan, was reported by Axios on Tuesday, indicating the briefing request is bicameral. Thompson and Ramirez asked for the briefing "as soon as possible," covering the cause, consequences, remediation, and contractor accountability. Until CISA responds, the operative facts are what Krebs reported and what the lawmakers confirmed they believe: sensitive internal access data sat in a public GitHub repository long enough for independent researchers to find and catalog it.