CISA / Nightwing contractor — AWS GovCloud admin keys + plaintext creds + Artifactory exposed in public GitHub for ~6 months

A Nightwing government contractor used a public GitHub repository named "Private-CISA" as a personal sync mechanism between work and home machines, exposing highly-privileged credentials for CISA / DHS infrastructure from approximately 2025-11-13 to 2026-05-15 — about six months (Krebs on Security, 2026-05-18; Gizmodo, 2026-05-19). GitGuardian researcher Guillaume Valadon surfaced the repository on 2026-05-15. Exposed material included administrative credentials for three Amazon AWS GovCloud accounts, plaintext usernames and passwords (AWS-Workspace-Firefox-Passwords.csv) for dozens of internal CISA systems, SSH keys and cloud tokens, and credentials to CISA's internal Artifactory code-package repository ("LZ-DSO" — Landing Zone DevSecOps). The contractor had deliberately disabled GitHub's default push-protection secret scanning. Independent researcher Philippe Caturegli (Seralys) validated AWS keys against live GovCloud accounts at high privilege and confirmed the keys remained valid for at least 48 hours after the repository was taken down. CISA acknowledged a ~one-third workforce reduction from buyouts and resignations under the Trump administration may have weakened oversight of contractor behaviour.

Why it matters to us: Caturegli identified the Artifactory access as the highest-impact exposure — write access to a national cybersecurity agency's build-package repo would enable backdoor insertion into anything CISA built or deployed (T1195.002 Supply Chain Compromise: Compromise Software Supply Chain). The transferable lesson for EU/CH national CERT operators is independent of US politics: contractors and integrators with write access to NCSC / BSI / ANSSI build pipelines must be subject to organisation-level GitHub push-protection that administrators cannot disable, mandatory short-lived OIDC role assumption (no long-lived AWS keys), Artifactory access-log SIEM integration with off-hours bulk-download anomaly detection, and quarterly secret-scanning sweeps of contractor personal repos under contract. T1552.001 (Credentials In Files) / T1552.004 (Private Keys).