A contractor for the United States Cybersecurity and Infrastructure Security Agency created a GitHub repository in November 2025. He named it "Private-CISA." He committed to it regularly for six months, using it to move files between his work laptop and his home computer. The files included administrative credentials to three AWS GovCloud servers. Plaintext usernames and passwords for dozens of internal CISA systems. Access keys to CISA's internal software build environment, the system the agency uses to develop, test, and deploy code.

The repository was public.

GitGuardian researcher Guillaume Valadon discovered it on May 15, notified the owner, received no response, and contacted Brian Krebs. The repository came down over the weekend. The AWS keys stayed valid for another 48 hours after it did.

Valadon has spent his career scanning GitHub for exactly this kind of exposure. He said this was the worst leak he had ever witnessed.

CISA said there is no indication that any sensitive data was compromised.

CISA is the agency responsible for securing the critical infrastructure of the United States.

What Was Actually Exposed

The exposed Artifactory credentials are the element that should keep security architects up at night. Artifactory is not just a password or a token. It is the repository for every software package CISA uses to build its internal systems. Credential access to Artifactory is access to the supply chain. A threat actor with those credentials, at any point in the six-month window, could have introduced a malicious package into the build pipeline. Every deployment from that environment forward would carry the payload. Every system built from it would be compromised before it went live.

Researcher Philippe Caturegli of Seralys validated that the exposed credentials authenticated to three AWS GovCloud accounts at high privilege levels. He also noted that many of the exposed passwords followed a pattern of the platform name plus the current year. That is not a password policy. That is the absence of one.

The contractor also explicitly disabled GitHub's default secret scanning feature before committing. The guardrail was there. Someone turned it off.

Where the Accountability Gap Lives

Nightwing, the contractor whose employee maintained the repository, declined to comment and directed inquiries to CISA. CISA directed responsibility to Nightwing and issued a statement saying there is no indication of compromise. Neither party has addressed why the AWS keys remained valid for 48 hours after public disclosure of a known breach. Neither party has addressed what access, if any, occurred during the six-month window before discovery. Neither party owns it.

This is not a story about one person's bad security hygiene, though the hygiene was genuinely catastrophic. It is a story about what happens when the controls that should catch individual failure are themselves absent. GitHub's secret scanning default was disabled and nobody flagged it. Long-lived AWS GovCloud credentials existed and nobody rotated them. A public repository named "Private-CISA" sat open for six months and nobody noticed until a commercial scanning company found it.

CISA has lost nearly a third of its workforce since the start of 2025. It has no Senate-confirmed director. It is operating under proposed budget cuts of $700 million. The people whose job it is to catch this kind of failure have been systematically removed. The institution meant to govern the security of critical infrastructure could not govern the security of its own build pipeline.

That is not an individual's mistake. That is an organizational condition made visible.

What Accountability Requires Here

Traceability demands a full accounting of what was accessed during the six-month exposure window, not a statement that there is no indication of compromise. Absence of detected access is not the same as confirmed absence of access. A public repository with valid credentials for six months does not generate indicators the same way an active intrusion does.

Response requires more than taking the repository down. Rotating credentials 48 hours after known public disclosure is not a response architecture. It is a delay that is itself a finding.

Transparency requires disclosing what the Artifactory exposure could have introduced into downstream systems. If CISA's build pipeline was a viable attack vector for any period of time, the organizations that consume CISA-developed tools and frameworks deserve to know that.

The repo was named "Private." It was public. The name is not irony. It is the accountability gap made visible in a single word.

Vordan publishes the Gap Alert when the intelligence warrants it. The Accountability Report publishes every Sunday. The doctrine is Accountable by Design.