A Nightwing contractor’s public “Private-CISA” GitHub repo exposed AWS GovCloud admin keys, plaintext passwords, and CISA DevSecOps build secrets from Nov 2025 to May 2026.
Key Takeaways
Files included importantAWStokens (admin creds to 3 AWS GovCloud accounts) and AWS-Workspace-Firefox-Passwords.csv (dozens of plaintext CISA system passwords).
The contractor manually disabled GitHub’s built-in secret scanning, then stored backups, SSH keys, and CSV passwords in a public repo apparently used to sync between work and home machines.
Artifactory credentials were also exposed, creating a supply-chain backdoor risk: attackers could inject malicious packages into every CISA build pipeline.
AWS keys remained valid for 48 hours after CISA was notified; many passwords followed the pattern platformname+year, weak even if never externally exposed.
CISA is operating at roughly two-thirds staffing after Trump-era cuts, and the contractor Nightwing declined all comment.
Hacker News Comment Review
Commenters flagged a broader, underappreciated risk: LLM coding assistants routinely read .env files and secrets on disk without triggering secret-scanning alerts, silently shipping them to model providers.
There is strong consensus that static long-lived AWS credentials are the root structural problem; hyperscaler OIDC/role-based auth exists but adoption gaps remain, with specific platforms like Railway cited as still lacking AWS role/OIDC support.
Several commenters questioned whether the incident was pure incompetence or deliberate sabotage, pointing to the November 2025 timing and the DHS acting CSO controversy from the same period.
Notable Comments
@dcrazy: Notes the irony that federal CAC smartcard auth has existed for decades yet government cloud infrastructure still runs on passwords.
@debarshri: Points out the same CISA team also uploaded sensitive documents to ChatGPT, suggesting a pattern beyond this single incident.
