enforcement/trade-press/
Contractor GitHub repo exposed privileged CISA credentials
A public repository named "Private-CISA" held AWS GovCloud and internal system credentials dating to November, and Congress is not satisfied with CISA's response.
Editorial brief
GitGuardian discovered a public GitHub repository last week, apparently maintained by a Nightwing contractor, containing privileged AWS GovCloud credentials and internal CISA system credentials dating back to November. The repository was named "Private-CISA." CISA says no sensitive data was confirmed compromised; the researcher who found it rated it among the worst leaks he has seen and cited state-actor persistence as the primary risk. House Homeland Security ranking members Thompson and Ramirez, plus Sen. Hassan, sent separate letters Tuesday demanding briefings on affected systems, forensic findings, and contractor accountability. Both Hill letters named CISA staffing and budget cuts as a potential contributing factor.
The incident has a structure that will be familiar to anyone who tracks federal contractor hygiene: a repository with a name that implies sensitivity sat publicly accessible on GitHub long enough to be indexed and discovered by an outside firm. GitGuardian found it last week; Krebs on Security first reported it publicly. The contractor involved, Nightwing, referred all questions to CISA.
CISA's public statement follows the standard incident-response template: "no indication that any sensitive data was compromised," combined with a commitment to "additional safeguards." That formulation is defensible (absence of evidence of exfiltration is a real finding) but it is not the same as a forensic conclusion. Forensic work on credential exposure in cloud environments is hard precisely because legitimate access and attacker access look identical in logs, especially if the attacker is patient.
The researcher's concern was persistence, not destruction. Guillaume Valadon of GitGuardian told CyberScoop he was most worried about a state actor obtaining long-term access to a government system, a scenario he rated worse than a destructive attack. That framing matters for how CISA and Congress should assess remediation adequacy: rotating the credentials is necessary but not sufficient if the window of exposure was wide enough for a patient actor to establish a foothold.
Congress is pursuing parallel tracks. The House Homeland Security Committee is seeking a staff-level briefing. Ranking members Thompson and Ramirez sent a letter Tuesday to acting director Nick Andersen asking specifically about how the lapse occurred, potential security consequences, remediation activities, and corrective actions involving contractor personnel. Sen. Hassan sent a separate letter requesting a classified briefing covering which systems were exposed, what forensic work was done, and what corrective action has been taken. Both letters noted CISA's recent personnel and budget reductions as a potential contributing factor, a framing that ties this incident to a broader oversight argument about agency capacity.
Nightwing has said nothing beyond referring questions to CISA. That posture is legally prudent but practically problematic: the contractor maintained the repository, and the corrective-action questions Congress is asking are ones CISA cannot fully answer without contractor cooperation and documentation. If the briefings materialize, the contractor's incident timeline will be the first thing congressional staff ask for.
For DIB contractors and federal agencies managing CUI in cloud environments: this is a credential hygiene failure, not an exotic attack. Pre-commit scanning, secret scanning on existing repositories, and contractor security awareness requirements in base contracts are the standard controls. The question the Hill letters are implicitly asking is whether CISA's own contractor oversight enforced any of them.
Published ·Updated ·Deep Fathom