Cybersecurity Videos

All News Deals Social Blogs Videos Podcasts Digests

Cybersecurity Defense GovTech Healthcare

CISA's Own Credentials Were Sitting on GitHub for Six Months

•June 9, 2026

This Week Health

This Week Health•Jun 9, 2026

Why It Matters

The exposure of CISA’s own secrets erodes trust in the nation’s cyber‑defense authority and shows how contractor mismanagement can create a long‑lasting attack surface for adversaries.

Key Takeaways

•CISA credentials exposed publicly on GitHub for six months.
•844 MB repo contained plain‑text passwords, AWS keys, SSH keys.
•Contractor disabled GitHub secret‑scanning protections before publishing repository.
•Leak discovered by GitGuardian; AWS keys remained active 48 hours.
•Raises concerns about contractor oversight and agency cybersecurity trust.

Summary

The video reports that a public GitHub repository named “private‑CISA,” hosted by a Nightwing contractor, exposed CISA’s internal credentials for six months.

The 844 MB repo included a CSV of plain‑text passwords for AWS Workspaces, admin credentials for three GovCloud servers, SSH keys, access tokens, and internal deployment documentation, with passwords following a predictable “platform‑2025” pattern. GitGuardian’s scanner flagged the leak on May 15; the repository was removed after a tip to Krebs on Security, but the AWS keys remained valid for another 48 hours.

Researchers called the breach “the worst leak I’ve ever witnessed.” The contractor had deliberately disabled GitHub’s default secret‑scanning feature, and when GitGuardian’s outreach went unanswered, the issue was escalated to the media.

The incident undermines confidence in CISA, the agency that issues cybersecurity directives to hospitals and critical‑infrastructure operators, and highlights gaps in contractor oversight, the need for stricter secret‑management policies, and the risk of prolonged exposure to threat actors.

Original Description

CISA -- the federal agency whose job it is to protect America's critical infrastructure -- had its own internal credentials sitting in a public GitHub repository for six months. Plain text passwords. AWS GovCloud keys. SSH access tokens. Visible to anyone on the internet with a browser.

What makes this worse: the contractor who created the repository didn't slip up accidentally. They actively disabled the default GitHub protections designed to prevent exactly this from happening. And when the repository finally came down, those AWS keys stayed valid for another 48 hours before anyone thought to revoke them.

Drex brings this back to the question every health system CISO should be sitting with: How many contractors have access to your most sensitive systems right now -- and if one of them made this choice six months ago, would you even know today?

Remember, Stay a Little Paranoid

Linkedin: https://www.linkedin.com/company/ThisWeekHealth

Twitter: https://twitter.com/thisweekhealth

Donate: Alex’s Lemonade Stand: Foundation for Childhood Cancer - https://www.alexslemonade.org/mypage/3173454

Comments

Want to join the conversation?

Loading comments...