← Threat Intelligence
Government Cloud Breach

844 MB of Live Government Secrets Sat in a Public GitHub Repo for Months

Matt Lucas  |  May 27, 2026  |  5 min
// exposure window
6 months
Live government cloud secrets sat in a public GitHub repo while 7 scanner alerts went ignored.
Nov 2025 · repo goes publicMay 14 · found
844 MBLive credentials exposed
3CISA GovCloud environments reachable
48 hrsTo revoke the keys once a human looked
NIGHTWING CONTRACTOR T1552.001 Private-CISA PUBLIC · 844 MB 200+ commits · 6 months 7 alerts IGNORED AWS GovCloud S3 · EC2 · Secrets Entra ID SAML signing certs FULL ADMIN 3 GovCloud envs T1078.004 · T1580 ① leak source ② public repo · 6 mo ③ credentials exposed ④ full cloud access
TL;DR
  • What: A Nightwing contractor working for CISA stored 844 MB of live government credentials in a public GitHub repo named "Private-CISA" for six months, ignoring 7 GitGuardian scanner alerts.
  • Impact: Researchers confirmed full administrative access to three CISA AWS GovCloud environments (S3, EC2, Secrets Manager) plus Entra ID SAML signing certificates; keys were plaintext and labeled.
  • Fix / mitigation: Repo taken down within an hour of direct notification via journalist Brian Krebs; AWS GovCloud keys revoked within 48 hours; no confirmed compromise, though six months of CloudTrail evidence is required to be certain.
  • Who's at risk: Any organization whose contractors or employees use personal GitHub accounts as file-sync tools and whose SIEM does not retain full-fidelity cloud audit logs across the entire exposure window (MITRE T1552.001, T1078.004, T1580).

A contractor employed by Nightwing, a Virginia cybersecurity firm, was working for the U.S. Cybersecurity and Infrastructure Security Agency (CISA). Since November 2025, that contractor had been using a public GitHub repository, named "Private-CISA," as a personal scratchpad to sync files between two computers. They appear not to have realized it was public.

On May 14, 2026, GitGuardian researcher Guillaume Valadon found it: 844 MB of live, active government credentials sitting in the open. "At first, I really thought it was fake and a hoax, because everything was so bad," he said. Over 200 commits had piled up over six months, and GitGuardian's platform had already tried to reach the account holder seven times. Every alert was ignored.

contractor / Private-CISA ● Public 844 MB
📁ENTRA ID - SAML Certificates/SSO signing certs
📁Backup-April-2026/Personal + travel docs
📄Important AWS Tokens.txtGovCloud keys
📄external-secret-repo-creds.yamlSecrets Manager
🔑passwords · GitHub tokensPlaintext
200+
Commits in 6 months
7
Scanner alerts ignored
Full
Admin: S3 / EC2 / Secrets
1 hr
From notice to takedown

What was actually exposed

This was not stale test data. Independent researcher Philippe Caturegli, CEO of Seralys, validated the credentials and confirmed he could reach three CISA AWS GovCloud environments with full administrative access to S3 buckets, EC2 instances, and Secrets Manager. "We refrained from exploiting anything beyond what was in the public repo," he noted. The takeaway from both researchers was the same: minimal recon was required. The keys were labeled, plaintext, and live.

Once CISA was directly notified (after an automated disclosure channel went nowhere and the researchers escalated through journalist Brian Krebs), the repository came down within an hour. The AWS keys were revoked within 48 hours. CISA stated there is "currently no indication that any sensitive data was compromised."

The Pattern, Not the Person

Valadon's diagnosis applies far beyond one contractor: "By going fast, you don't apply rules, you hardcode the secrets, and they stay alive forever." Hardcoded credentials in a convenience repo is one of the most common ways live secrets escape an organization, public sector or not.

The exposure is only half the story

Stopping the upload is a code-hygiene problem, and tools like GitGuardian's secret scanning are built for exactly that. But scanning only matters if someone acts on it, and here seven alerts were ignored for six months. The harder, scarier question is the one defenders have to answer after a leak like this:

Were these keys ever used by someone who should not have had them?

Answering that means looking at six months of cloud audit logs for the leaked identities and asking whether anything anomalous happened. Most organizations cannot answer it, because retaining six months of full-fidelity AWS CloudTrail in a traditional SIEM is brutally expensive, so they sample it, age it out, or never onboard it at all.

How caver would have caught this

caver does not stop a contractor from pushing secrets to GitHub. Nothing in a SIEM does. What caver changes is everything that happens next, on two fronts.

1. The ignored alerts become a ranked notable, not noise

caver lands GitHub audit logs and secret-scanner findings in the same OCSF lake as your cloud telemetry. Its risk-based alerting layer (CAVERN) attaches a risk score to a repo that flips public, to a scanner hit on a credential file, and to an account that dismisses the same finding repeatedly. Seven ignored alerts do not stay seven low-priority emails. They aggregate into one high-risk notable that surfaces in the analyst queue and pages someone.

2. The credential abuse gets caught, even months later

Because caver writes CloudTrail as cheap OCSF Parquet to your own S3-compatible storage instead of a per-GB indexer, keeping six (or eighteen) months of full-fidelity cloud audit is affordable. When a key leaks, you can run one SPL query over the entire exposure window and see every place that key was used: new source ASNs and geographies, impossible travel, first-time API calls, and the classic post-compromise recon burst of ListBuckets, DescribeInstances, and GetSecretValue. Same SPL, your data, retroactively.

Why retention is the real control

The difference between "no indication of compromise" as a hope and as a fact is whether you kept the logs to prove it. caver's economics make long-horizon retention the default, so the six-month question is answerable on day one of the incident, not abandoned because the data already aged out.

Could you answer the six-month question?

caver is an enterprise SIEM on an OCSF lakehouse. It speaks SPL, runs on your own storage, and makes long-horizon retention affordable, so when credentials leak you can prove what happened, not just hope. See how it fits your stack.

Explore caver →

Bottom line

A labeled bag of live government keys sat in public for six months while seven alerts went unread. The cleanup was fast once a human finally looked. But "no indication of compromise" is only reassuring if you have the logs to back it, across the whole window the secrets were exposed. Secret scanning tells you a key leaked. Affordable, long-retention detection tells you whether it cost you anything. You need both.

Worried about secrets sprawl in your environment?

RedEye Security assesses credential exposure, cloud audit coverage, and detection gaps for organizations that need to understand their real risk.

Talk to us