InfoSecBulletin Cybersecurity for mankind
One of the most egregious government data leaks in recent history might be the recent leak of Cybersecurity & Infrastructure Security Agency (CISA) public GitHub repository maintained by a contractor that exposed credentials to several highly privileged AWS GovCloud accounts and a large number of internal CISA systems.
Security experts said the public archive had files about how CISA makes, tests, and uses software inside the organization.
FortiBleed: 70,000 Fortinet Firewalls Compromised Globally
New Rokarolla Android malware hits 217 banking and crypto apps
Phishing Campaign Exploits Legitimate Microsoft Login Flow
ALERT
Cisco SD-WAN Zero-Day, FortiSandbox and cPanel flaws exploited in attacks
“Panthalassa” builds floating AI data centers powered by ocean waves
Critical Wazuh Vuln Enables Alert Tampering and Evidence Deletion
CVE-2026-0257
Palo Alto Warns of GlobalProtect VPN Vuln Actively Exploited
BD Gov.t to set up Tk192.66cr AI hub with support from Koica
Critical Splunk Enterprise Pre-Auth RCE Chain Exposes Databases With Zero Authentication
Anthropic disables Fable 5 and Mythos 5 Access after US order limiting foreign access
On May 15, KrebsOnSecurity got a message from Guillaume Valadon, a researcher at GitGuardian. His company always checks public code sites like GitHub for exposed secrets and alerts the accounts if they find sensitive data. Valadon contacted KrebsOnSecurity because the owner wasn’t replying and the exposed information was very sensitive.
The “Private-CISA” repository was open to the public until mid-May 2026. It held a lot of sensitive information like AWS GovCloud login info, plain passwords, API keys, and internal system details.
A file called “AWS-Workspace-Firefox-Passwords.csv” showed many usernames and passwords in plain text linked to CISA systems. This includes a DevSecOps area known as “LZ-DSO.”
Philippe Caturegli, founder of security consultancy Seralys said, some of the exposed AWS credentials were still valid at the time of discovery and provided high-level access. He noted that the repository also contained credentials for CISA’s internal “artifactory,” a centralized system for storing and distributing software components.
This type of access could allow attackers to insert malicious code into software pipelines.
KrebsOnSecurity said that the exposed data was connected to a contractor from Nightwing, a government services company in the U.S. The account had been open since 2018, and the “Private-CISA” folder was set up in November 2025.
CISA acknowledged saying that:
“Currently, there is no indication that any sensitive data was compromised as a result of this incident[…] While we hold our team members to the highest standards of integrity and operational awareness, we are working to ensure additional safeguards are implemented to prevent future occurrences.”
