A seven-month leak that publicly exposed CISA system credentials was recently discovered, just as the agency gains new leadership in Dr. Ryan Donaghy.
On May 18th, 2026, KrebsOnSecurity broke the news about highly sensitive credentials from the Cybersecurity and Infrastructure Security Agency (CISA) being leaked on GitHub. The site, “a cloud-based platform where you can store, share, and work together with others to write code,” is used by more than 180 million developers. KrebsOnSecurity was alerted to the leak on the 15th by GitGuardian security researcher Guillaume Valadon, who explained that his company discovered the 844 MB public repository and attempted to contact the owner, but felt forced to go public when they could not reach them.
Valadon shared that the appropriately titled “Private-CISA” repository held key credentials for CISA and the Department of Homeland Security, like logs, tokens, cloud keys, and even passwords in plaintext. Files like “importantAWStokens” held credentials for three Amazon AWS GovCloud Servers, while “AWS-Workspace-Firefox-Passwords.csv” contained passwords for several internal CISA networks. The breach was so blatant that Valadon first thought it was false: “I honestly believed that it was all fake before analyzing the content deeper. This is indeed the worst leak that I’ve witnessed in my career. It is obviously an individual’s mistake, but I believe that it might reveal internal practices.”
The repository, which was created on November 13th, 2025, is in fact attributed to Nightwing, a government contractor that CISA worked with. Curiously enough, Nightwing was previously penalized (alongside Raytheon, another government contractor) for non-compliance with cybersecurity requirements for contractors working with the Department of Defense. The two were forced to pay $8.4 million in a settlement, drawing commentary from government officials, like from William W. Richards, the Special Agent in Charge of the Air Force Office of Special Investigations (AFOSI): “Failure to implement cybersecurity requirements can have devastating consequences, leaving sensitive DoD data vulnerable to cyber threats and malicious actors”.
The founder and Chief Hacking Officer of Security at cybersecurity firm Seralys, Phillipe Caterugeli, posed that the repository was made to help the contractor work from home: “The use of both a CISA-associated email address and a personal email address suggests the repository may have been used across differently configured environments…What I suspect happened is [the CISA contractor] was using this GitHub to synchronize files between a work laptop and a home computer, because he has regularly committed to this repo since November 2025.”
Unsurprisingly, the leak stirred up concern about malicious threat actors using the information to keep access to the internal systems of the nation’s top cybersecurity agency. According to CISA, the leak (which continued for nearly 7 months), did not result in any serious harm: “Currently, there is no indication that any sensitive data was compromised as a result of this incident. While we hold our team members to the highest standards of integrity and operational awareness, we are working to ensure additional safeguards are implemented to prevent future occurrences.” Fortunately, the leak was resolved in just 26 hours since the GitGuardian discovery on May 14th, with CISA taking down the repository in just 8 hours after being directly contacted.
Though the leak was sealed in a weekend, the fallout over the breach continues. Rep. Bennie Thomson (D-MS), the leading Democrat on the Homeland Security Committee, and Rep. Delia Ramirez (D-IL) jointly signed a letter to Nick Andersen, the Acting Director of CISA, requesting that the agency schedule a briefing about the incident. The Representatives explained that they were “concerned that this incident reflects a diminished security culture and/or an inability for CISA to adequately manage its contract support”, in reference to the extensive cuts that the agency has faced at the hands of the Department of Government Agency (DOGE). Another politician, Senator Maggie Hassan (D-NH), also sent a letter to Andersen asking for a debrief and similarly linked the incident to the series of changes that started in Trump’s second term.
These commenters may also view more recent developments in CISA as signs that the agency is losing its ability to uphold security internally and nationally. While artificial intelligence (AI) becomes more commonplace across industries, CISA appears unprepared to address emerging threats related to the rapidly advancing technology. The role of chief AI officer remains unfilled after the departure of Lisa Einstein in February - a leadership gap that is only one of many in the agency that still does not have a permanent director. Even when other agencies are working with AI tools like Anthropic’s Mythos model, CISA has been excluded from the conversation. In reference to AI threats, an industry source to Axios described these developments as counterproductive: “Rather than preparing the roof when the skies are sunny, we’re choosing to punch holes in it. Now, the storm has arrived.”
Even in this “storm”, CISA has managed to make some progress around leadership. On May 21st, 2026, the agency shared that Dr. Ryan Donaghy would be serving as their first Chief Operating Officer in a LinkedIn post, allowing her to advise leadership across business, financial, and policy management. Dr. Donaghy has a history at CISA, as she joined in 2016 and “served in multiple leadership roles, supporting CISA’s critical infrastructure, partnership, and cybersecurity missions.” This experience will likely come in handy as CISA navigates the data breach and addresses their positioning for growing AI threats.