Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
Security researcher Brian Krebs they bring us news that America Cybersecurity & Infrastructure Agency (CISA) has had many private repositories, SSH private keys, tokens, and “other CISA resources” exposed on the GitHub community since at least November 2025.
A public repo that is currently not available online – named, rather ambitiously, “Private-CISA” – was reported to Krebs by GitGuardian. Guillaume Valadonwho was alerted to the repo’s existence by GitGuardian’s public code scans. Krebs says Valadon approached him after receiving feedback from the owners of the Private-CISA repo.
In an email to Krebs, Valadon said that the repo’s documentation showed that GitHub’s default privacy protections — safeguards to protect the unwitting or ignorant of this kind of stupidity — were disabled by the repo administrator.
Tested by Founder of Seralys Philippe Caturegli indicated that this was not a joke or a hoax and that he was able to use the information contained in the Private-CISA repo to gain access to multiple Amazon Web Services GovCloud accounts “on a large scale.”
Krebs says the repo appears to be Virginia-based At nightCISA contractor. Nightwing has so far not responded publicly, instead answering questions at CISA.
This isn’t the first time CISA has gone awry—in fact, it’s not the first this year. In January, polygraph-failure CISA managing director Madhu Gottumukkala uploaded official documents to ChatGPT after requesting and receiving an exemption from the agency policy that prohibits the use of ChatGPT by CISA employees. Gottumukkala was He was removed from his post in February.
