A Nightwing contractor’s public “Private-CISA” GitHub repo exposed AWS GovCloud admin keys, plaintext passwords, and CISA internal system credentials for ~6 months.
Key Takeaways
Repo named “Private-CISA” contained importantAWStokens (three AWS GovCloud admin credentials), AWS-Workspace-Firefox-Passwords.csv with dozens of plaintext logins, and access to CISA’s Artifactory build pipeline.
The contractor manually disabled GitHub’s built-in secret scanning, then used the repo as a sync scratchpad between work and home machines since November 2025.
Exposed AWS keys remained valid for 48 hours after CISA was notified and the repo was taken down.
Artifactory access is the highest-severity vector: an attacker could backdoor software packages and propagate implants through every subsequent CISA build and deployment.
Many credentials followed the pattern platformname+year, weak even if never externally exposed; CISA is operating at roughly two-thirds normal staffing.
Hacker News Comment Review
Commenters flagged a compounding risk: LLM coding assistants reading .env files or secrets on disk can silently exfiltrate credentials to third-party model providers without triggering any secret-scanning alert.
Consensus is that the 6-month detection gap points to scanner coverage limits or growth outpacing tooling, not just individual negligence – with the broader takeaway being that external services like GitGuardian remain the last line of defense when internal controls are disabled.
The Artifactory supply-chain angle received little direct comment, but several users noted the staffing cuts as structural context explaining why no internal process caught this.
Notable Comments
@epistasis: LLM tools reading secrets from disk “ship it off to be training data” with no flags raised – a blind spot most secret-scanning workflows miss entirely.
@itintheory: Questions why scanners took months, not days, to surface the leak – suggesting GitHub’s scale may be outpacing automated detection pipelines.
