Back

GitHub Leak Exposes CISA and DHS Credentials, Raises Security Concerns

Severity: High (Score: 70.0)

Sources: Biometricupdate, www.justice.gov

Published: 2026-05-21 · Updated: 2026-05-21

Keywords: nightwing, raytheon, group, resolve, allegations, github, exposed

Summary

A GitHub repository linked to Nightwing, a contractor for CISA, leaked credentials for AWS GovCloud accounts and internal systems of CISA and DHS. The exposure, attributed to a significant operational security failure, has prompted urgent requests for briefings from congressional leaders. Nightwing, previously part of Raytheon, has a history of cybersecurity compliance issues, including a recent $8.4 million settlement related to the False Claims Act. The incident raises questions about contractor oversight and the security of government software development processes. CISA's credibility is at stake as it advocates for stronger cybersecurity practices across federal and state agencies. The leak occurred amidst internal disruptions at CISA, which has seen a workforce reduction during the Trump administration. Key Points: • A GitHub leak exposed sensitive credentials for CISA and DHS systems. • Nightwing, the contractor involved, has a history of cybersecurity compliance failures. • Congressional leaders have requested urgent briefings regarding the incident.

Detailed Analysis

**Impact** The exposure affected CISA and DHS internal systems, including highly privileged AWS GovCloud credentials and authentication tokens, potentially compromising federal cybersecurity operations. Approximately 2,200 CISA employees remain after significant workforce reductions, increasing operational risk. The leak originated from a public GitHub repository linked to Nightwing, a contractor with longstanding roles in federal cyber defense. The incident triggered urgent congressional briefings and raised concerns about contractor oversight and cloud access controls within U.S. critical infrastructure defense. **Technical Details** The leak involved a publicly accessible GitHub repository containing plaintext passwords, cloud keys, deployment logs, and internal documentation related to software build and deployment processes. The repository was tied to Nightwing employees supporting CISA, exposing credentials for AWS GovCloud and multiple internal systems. No specific malware, CVEs, or attack infrastructure were reported. The exposure represents a credential leak at the initial access and credential compromise stages of the kill chain. **Recommended Response** Immediately audit and rotate all exposed credentials, especially AWS GovCloud keys and internal authentication tokens. Enforce strict access controls and multi-factor authentication on cloud environments and code repositories. Conduct a comprehensive review of contractor security policies and software development pipelines to prevent public exposure of sensitive data. Monitor for unauthorized access attempts using the leaked credentials and review repository permissions to prevent future leaks.

Source articles (2)

  • Raytheon Companies And Nightwing Group Pay 84m Resolve False Claims Act Allegations Relating — www.justice.gov · 2026-05-21
    Raytheon Company (Raytheon), RTX Corporation, and Nightwing Group LLC, and Nightwing Intelligence Solutions LLC (collectively, Nightwing), have agreed to pay $8.4 million to resolve allegations that R…
  • GitHub leak exposed CISA, DHS GovCloud keys, internal credentials — Biometricupdate · 2026-05-20
    A public GitHub repository tied to a contractor for the Cybersecurity and Infrastructure Security Agency (CISA) exposed credentials for highly privileged AWS GovCloud accounts and a wide range of inte…

Timeline

  • 2026-05-20 — GitHub repository leak reported: Credentials for AWS GovCloud and internal CISA/DHS systems were exposed, linked to Nightwing contractor.
  • 2026-05-20 — Congressional briefings requested: Sen. Maggie Hassan and House Democrats demanded urgent briefings from CISA regarding the leak.
  • 2026-05-21 — Raytheon and Nightwing settlement announced: Raytheon and Nightwing agreed to pay $8.4 million to resolve False Claims Act allegations related to cybersecurity compliance.

Related entities

  • Data Breach (Attack Type)
  • United States (Country)
  • CWE-200 - Exposure of Sensitive Information (Cwe)
  • CWE-798 - Use of Hard-coded Credentials (Cwe)
  • Government (Industry)
  • GitHub (Platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed