May 20, 2026
ManyPress
Technology

In stunning display of stupid, secret CISA credentials found in public GitHub repo

Security researcher Brian Krebs brings us the news that America’s Cybersecurity & Infrastructure Agency (CISA) has had a large store of plaintext passwords, SSH private keys, tokens, and “other sensit

NF

ManyPress Editorial Team

ManyPress Editorial

May 19, 2026 · 6:27 PM2 min readSource: Ars Technica
In stunning display of stupid, secret CISA credentials found in public GitHub repo

Security researcher Brian Krebs brings us the news that America’s Cybersecurity & Infrastructure Agency (CISA) has had a large store of plaintext passwords, SSH private keys, tokens, and “other sensitive CISA assets” exposed in a public GitHub repo since at least November 2025. The now-offline public repo—named, somewhat aspirationally, “Private-CISA”—was brought to Krebs’ attention by GitGuardian’s Guillaume Valadon , who was alerted to the repo’s presence by GitGuardian’s public code scans. Kr

In an email to Krebs, Valadon claimed that the repo’s commit logs show that GitHub’s default protections against committing secrets—protections designed to protect unwitting or unskilled developers against exactly this kind of stupidness—had been disabled by the repo’s administrator. Testing by Seralys founder Philippe Caturegli showed that this was not a joke or hoax and that he was able to use the credentials in the Private-CISA repo to gain access to multiple Amazon Web Services GovCloud accounts “at a high privilege level.” Krebs notes that the repo appeared to be managed by Virginia-based Nightwing , a CISA contractor. Nightwing has so far not commented publicly, instead referring questions back to CISA. This isn’t the first time CISA has screwed up—in fact, it’s not even the first time this year . In January, polygraph-failing acting CISA Director Madhu Gottumukkala uploaded sensitive government documents to ChatGPT after demanding and receiving an exemption to the agency policy that prohibited ChatGPT’s use by CISA personnel. Gottumukkala was removed from his role in February .

Key points

  • In an email to Krebs, Valadon claimed that the repo’s commit logs show that GitHub’s default protections against committing secrets—protections designed to protect unwitting or unskilled developers…
  • Testing by Seralys founder Philippe Caturegli showed that this was not a joke or hoax and that he was able to use the credentials in the Private-CISA repo to gain access to multiple Amazon Web Serv…
  • Nightwing has so far not commented publicly, instead referring questions back to CISA.
  • This isn’t the first time CISA has screwed up—in fact, it’s not even the first time this year .
  • In January, polygraph-failing acting CISA Director Madhu Gottumukkala uploaded sensitive government documents to ChatGPT after demanding and receiving an exemption to the agency policy that prohibi…

AdvertisementAd Placeholder — Configure AdSense in .env.localNEXT_PUBLIC_ADSENSE_CLIENT=ca-pub-XXXXXXXX

This article was independently rewritten by ManyPress editorial AI from reporting originally published by Ars Technica.

Share:X / TwitterFacebookLinkedIn

Technology

Google just declared itself a contender in AI design at IO 2026Technology

Google just declared itself a contender in AI design at IO 2026

Google announced at its annual Google I/O event on Tuesday that it’s launching Pics, a new AI-powered design and image-generation app for Google Workspace. The tech giant says it designed the app to b

TechCrunch
about 7 hours ago·3 min read
You can now talk to your Gmail inbox, as seen at Google IO 2026Technology

You can now talk to your Gmail inbox, as seen at Google IO 2026

Google isn’t finished infusing AI into your inbox. On Tuesday at their IO 2026 developer conference , the tech giant announced an expansion of its “AI Inbox” functionality for Gmail , which is adding

TechCrunch
about 7 hours ago·3 min read
Two AI-based science assistants succeed with drug-retargeting tasksTechnology

Two AI-based science assistants succeed with drug-retargeting tasks

Both tools generate hypotheses; one goes on to analyze some of the data. On Tuesday, Nature released two papers describing AI systems intended to help scientists develop and test hypotheses. One, Goog

Ars Technica
about 10 hours ago·3 min read
Google's SynthID AI watermarking tech is being adopted by OpenAI, Nvidia, and moreTechnology

Google's SynthID AI watermarking tech is being adopted by OpenAI, Nvidia, and more

Last year, Google added support for SynthID detection in the Gemini app. You can upload the suspect content and ask the chatbot if it’s AI-generated. This should work reliably with all those billions

Ars Technica
about 10 hours ago·2 min read