Washington · July 1, 2026
The Cybersecurity and Infrastructure Security Agency has placed the operators of three internal systems on "probationary status" and set a Sept. 3 remediation deadline following a contractor-caused exposure of login credentials and cloud access keys on a public GitHub repository [POLITICO]. CISA confirmed the existence of the memos, stating they were intended to "document risks, prescribe corrective actions, and ensure compliance with National Institute of Standards and Technology standards" [POLITICO]. Under NIST's Risk Management Framework, agencies are required to implement security controls across information systems and report material deficiencies through a structured authorization process. The memos, issued June 5, invoke that framework as the corrective authority.
The exposure originated with an employee of Nightwing, a Dulles, Va., government contractor that holds a long-running, privileged role in CISA cyber operations, software support, incident response, and federal network defense infrastructure [1][2]. The contractor had been using a personal GitHub account as a file synchronization tool since November 2025, committing work files to a public repository named "Private-CISA." By the time researchers identified the repository, it contained 844 megabytes of data, including administrative credentials for three AWS GovCloud accounts, plaintext usernames and passwords for dozens of internal CISA systems, SSH keys, Kubernetes configuration files, and detailed records of how CISA builds, tests, and deploys its software. [3][4] Commit logs in the offending GitHub account show that the CISA administrator had disabled GitHub's default setting that blocks users from publishing SSH keys or other secrets in public code repositories. [5]
GitGuardian security researcher Guillaume Valadon discovered the exposure during routine scanning of public code repositories and alerted KrebsOnSecurity after the contractor who maintained the GitHub account did not respond to direct alerts. The exposed credentials were used for accessing systems belonging to CISA and its parent agency, the Department of Homeland Security, and included access tokens, cloud keys, and other sensitive files. [6] The GitHub account was taken offline shortly after both KrebsOnSecurity and Seralys notified CISA. The exposed AWS keys, however, remained valid for an additional 48 hours after the repository was removed. [7] CISA stated it found "no indication that any sensitive data was compromised," while adding it would implement additional safeguards [POLITICO][5]. The agency has not publicly stated whether all compromised credentials have been rotated.
The memos issued by CISA's senior security officials give operators of the three affected systems until Sept. 3 to remediate identified deficiencies [POLITICO]. The documents specify that failure to meet that target, or insufficient documented progress toward it, could result in restrictions to system access or complete revocation of access rights [POLITICO]. The corrective action timeline tracks NIST SP 800-53, which governs security and privacy controls for federal information systems and requires agencies to establish plans of action and milestones for remediating weaknesses identified during security assessments. Operators subject to these controls carry personal accountability for maintaining authorization boundaries on systems under their management.
The incident drew immediate congressional attention. Sen. Maggie Hassan, D-N.H., a senior member of the Senate Homeland Security Committee, issued a request for an urgent classified briefing from CISA, which operates as a component of DHS. [8] Rep. Bennie Thompson of Mississippi, the ranking Democrat on the House Homeland Security Committee, and Rep. Delia Ramirez, the ranking Democrat on the panel's cyber subcommittee, separately demanded a briefing from CISA Acting Director Nick Andersen in a letter, seeking information on how the lapse occurred, potential security consequences, remediation activities, and corrective actions taken against the contractor personnel involved. [9] Nightwing declined to comment and referred all inquiries to CISA [1][9].
The incident occurs against a documented backdrop of institutional strain at CISA. The agency has experienced a significant reduction in its workforce during President Donald Trump's second administration. Approximately one-third of CISA staff, roughly 1,000 employees including most of its senior officials, have departed, bringing the agency's headcount to approximately 2,200. [10] CISA has been without a permanent director since Jan. 20, 2025, when then-Director Jen Easterly stepped down ahead of the incoming administration. [6] Separately, Nightwing's Engagement Support Services contract with CISA was among several CISA contracts identified as at risk of expiration amid a departmental mandate requiring DHS Secretary Kristi Noem's office to directly approve virtually all department contracts. [11] That contractual uncertainty is now compounded by the remediation obligations the June 5 memos impose on Nightwing-supported systems.
—
References
[1] Krebs on Security. (2026, May 18). CISA Admin Leaked AWS GovCloud Keys on Github. https://krebsonsecurity.com/2026/05/cisa-admin-leaked-aws-govcloud-keys-on-github/
[2] Biometric Update. (2026, May 20). GitHub leak exposed CISA, DHS GovCloud keys, internal credentials. https://www.biometricupdate.com/202605/github-leak-exposed-cisa-dhs-govcloud-keys-internal-credentials
[3] SC Media. (2026, May 20). CISA contractor's public GitHub repo exposed sensitive government credentials. https://www.scworld.com/brief/cisa-contractors-public-github-repo-exposed-sensitive-government-credentials
[4] Cybernews. (2026, May 21). US cybersecurity agency CISA exposed passwords and AWS credentials on public GitHub repository. https://cybernews.com/security/cisa-844-mb-plaintext-passwords-aws-tokens-github/
[5] TechCrunch. (2026, May 19). US cyber agency CISA exposed reams of passwords and cloud keys to the open web. https://techcrunch.com/2026/05/19/us-cyber-agency-cisa-exposed-reams-of-passwords-and-cloud-keys-to-the-open-web/
[6] TechCrunch. (2026, May 19). US cyber agency CISA exposed reams of passwords and cloud keys to the open web. https://techcrunch.com/2026/05/19/us-cyber-agency-cisa-exposed-reams-of-passwords-and-cloud-keys-to-the-open-web/
[7] Krebs on Security. (2026, May 18). CISA Admin Leaked AWS GovCloud Keys on Github. https://krebsonsecurity.com/2026/05/cisa-admin-leaked-aws-govcloud-keys-on-github/
[8] U.S. Senator Maggie Hassan. (2026, May 19). Senator Hassan Presses for Answers on Major Reported Data Leak at Leading Cybersecurity Agency. https://www.hassan.senate.gov/news/press-releases/senator-hassan-presses-for-answers-on-major-reported-data-leak-at-leading-cybersecurity-agency
[9] CyberScoop. (2026, May 20). CISA credential leak raises alarms, and Capitol Hill demands answers. https://cyberscoop.com/cisa-credential-leak-congress-demands-answers/
[10] Biometric Update. (2026, June). GitHub exposure points to broader contractor identity security gaps at CISA. https://www.biometricupdate.com/202606/github-exposure-points-to-broader-contractor-identity-security-gaps-at-cisa
[11] Cybersecurity Dive. (2025, July 30). CISA's Joint Cyber Defense Collaborative takes major personnel hit. https://www.cybersecuritydive.com/news/cisa-joint-cyber-defense-collaborative-contract-lapse/756231/