What Happened
A contractor working for the Cybersecurity and Infrastructure Security Agency (CISA), employed by government services firm Nightwing, maintained a public GitHub repository named “Private-CISA” from November 13, 2025, until May 18, 2026 — a period of roughly six months. The repository contained plaintext credentials for three highly privileged AWS GovCloud accounts, usernames and passwords for dozens of internal CISA systems stored in a CSV file, Kubernetes configuration files, SAML certificates, and detailed documentation of CISA’s internal software build and deployment processes.
Security researcher Guillaume Valadon of GitGuardian flagged the repository on May 15. Independent security consultant Philippe Caturegli validated that the exposed AWS keys were still active and confirmed they authenticated to CISA’s AWS GovCloud environments at an administrative privilege level. Among the most serious exposures was access to CISA’s internal Artifactory instance — the repository storing all code packages the agency uses to build software. The contractor had also disabled GitHub’s default secret-scanning protections before committing the files.
CISA pulled the repository offline within 26 hours of being notified. The exposed AWS keys inexplicably remained valid for a further 48 hours. CISA stated it found no evidence of active exploitation but confirmed the incident is under investigation. Nightwing declined to comment, directing all questions to CISA.
Why This Matters for Canadian Organizations
The breach is significant beyond the United States for several reasons that directly affect Canadian security teams.
CISA is the primary source of threat intelligence, vulnerability advisories, and cybersecurity guidance that Canadian security professionals rely on daily. The Canadian Centre for Cyber Security (CCCS) co-signs advisories with CISA, and many Canadian federal departments, Crown corporations, and private sector security teams treat CISA KEV deadlines and advisories as authoritative benchmarks for their own patch management programs. A breach of CISA’s internal development environment — particularly its Artifactory instance — raises the unconfirmed possibility of software supply chain tampering. Canadian organizations consuming CISA-distributed tools or software should treat this as a prompt to review the integrity of any tooling sourced through US federal channels.
More broadly, the incident illustrates a systemic failure: a contractor disabled default security controls, used GitHub as a file synchronization tool for classified work, stored plaintext passwords in CSV files, and went undetected for six months in an agency whose entire mandate is cybersecurity. CISA has lost nearly a third of its workforce since early 2026, and the incident reflects the operational risks that accompany understaffed security organizations. Canadian CISOs should consider how similar contractor oversight gaps might exist in their own environments.
For organizations operating under PIPEDA, Bill C-26, or OSFI B-13 obligations, this story is a useful reference point: third-party contractors and access management controls are not a secondary concern. They are a primary attack surface.
What to Do
Review all third-party contractor access to cloud environments and internal repositories. Audit GitHub organizations for disabled secret-scanning settings. Enforce organization-level policies that prevent contributors from turning off default security controls. Rotate any credentials shared with US federal partners or derived from CISA-distributed tooling as a precautionary step. Audit Artifactory and similar internal artifact repositories for unauthorized access or package modifications going back to November 2025. If your organization uses CISA advisories as a direct input to patch prioritization, continue doing so — the advisory content itself is not compromised — but treat this event as a reminder to verify the integrity of any software assets sourced from or through US federal infrastructure.
Source: Krebs on Security
