Shadow Tier cyber intelligence
Back to overview
nightwing.com
Signal preview
Confidence MediumMay 29, 2026nightwing.com

CISA Contractor Nightwing Exposed Sensitive Government Credentials on Public GitHub

PatternExternal actor · Hacking · Confidentiality impact

A public GitHub repository named 'Private-CISA', maintained by a contractor from Nightwing, a government defense contractor, was found to have exposed highly sensitive internal credentials and systems used by the US Cybersecurity and Infrastructure Security Agency (CISA). The repository, publicly accessible from November 13, 2025, until May 18, 2026, contained 844 MB of CISA's internal DevSecOps infrastructure, including administrative credentials for AWS GovCloud accounts, plaintext usernames and passwords for internal CISA systems, SSH keys, and an RSA private key. The contractor reportedly disabled GitHub's default secret-scanning push protections. Public reporting and analysis of the exposure occurred around May 18-29, 2026.

Signal date
May 29, 2026
Updated
Jun 24, 2026
Confidence
Medium
Sources
2 sources
nightwing.com logo

Nightwing

Sector
Public Administration
Signals
1 linked
Scan this company

Signal context

First seen: May 29, 2026

Last updated: Jun 24, 2026

Status: Public signal

Key points

  • Public GitHub repository 'Private-CISA' maintained by a Nightwing contractor.
  • Exposed 844 MB of CISA's internal DevSecOps infrastructure.
  • Included AWS GovCloud credentials, plaintext passwords, SSH keys, RSA private key.

Signal analysis

Beta

This analysis groups the signal by industry, likely incident action and impacted security area. It helps compare this signal with other published signals without treating the labels as final determinations.

Affected organization
Nightwing logo
Nightwing

Sector: Public Administration

Likely country: 🇺🇸 US

inferred from signal text

    Estimated
    Threat source
    Hacking activity

    The feed marks multiple actor roles. Treat this as a review signal rather than a final attribution.

    • Source type: outside the affected organization
    • Source type: possible insider or internal misuse
    Business impact
    Potential data exposure

    Impact area: Confidentiality

    Likely asset: User or customer data, Server or cloud data store

    Trend context
    74 signals with similar action pattern
    • 2 signals in the same sector
    • 95 signals with the same likely impact area
    • 1 signal linked to this organization/domain
    Mentioned entities
    NightwingData DisclosureCISA Contractor Nightwing Exposed SensitiveGovernment CredentialsPublic GitHub AGitHubPrivate-CISANightwingAgencyCISA

    External sources

    Related signals

    Grouped by why the signal is relevant.

    ants.gouv.fr logoAntsApr 15, 2026
    Same sectorSame action patternSame impact area

    French Government Agency ANTS Detects Security Incident, Citizen Data Potentially Exposed

    On April 15, 2026, the Agence Nationale des Titres Sécurisés (ANTS), a French government agency responsible for administrative documents, detected a security incident. A threat actor, 'breach3d', later claimed the attack on hacker forums, alleging to possess up to 19 million records containing citizen data, including login IDs, full names, email addresses, dates of birth, unique account identifiers, and potentially postal addresses and phone numbers. ANTS confirmed the incident and is notifying affected individuals.

    gong.io logoGongJun 24, 2026
    Same action patternSame impact area

    Gong Customer Data Exposed in Klue Supply Chain Attack

    Gong, a revenue intelligence platform, was among the organizations impacted by the Klue supply chain attack. The incident involved unauthorized access to customer data within Salesforce environments, due to compromised OAuth tokens from the Klue platform. The Icarus extortion group claimed responsibility for the attack.

    insurity.com logoInsurityJun 24, 2026
    Same action patternSame impact area

    Insurity Customer Data Exposed in Klue Supply Chain Attack

    Insurity, a leading provider of cloud-based software for insurance carriers, was impacted by the Klue supply chain attack. The incident involved unauthorized access to customer data within Salesforce environments, due to compromised OAuth tokens from the Klue platform.

    hackerone.com logoHackeroneJun 24, 2026
    Same action patternSame impact area

    HackerOne Affected by Klue Supply Chain Attack

    Cybersecurity firm HackerOne was among the organizations impacted by the Klue supply chain attack, which involved unauthorized access to customer data within Salesforce environments. The attack leveraged compromised OAuth tokens from the Klue platform.

    sproutsocial.com logoSproutsocialJun 24, 2026
    Same action patternSame impact area

    Sprout Social Data Compromised in Klue Supply Chain Attack

    Sprout Social, a social media management platform, was among the companies affected by the Klue supply chain attack. The incident led to unauthorized access to customer data within Salesforce environments, due to compromised OAuth tokens from the Klue platform. The Icarus extortion group claimed responsibility for the attack.

    jamf.com logoJamfJun 24, 2026
    Same action patternSame impact area

    Jamf Customer Data Exposed in Klue Supply Chain Attack

    Jamf, a provider of Apple device management solutions, was impacted by the Klue supply chain attack. The incident involved unauthorized access to customer data stored in Salesforce instances, stemming from compromised OAuth tokens from the Klue platform. The Icarus extortion group claimed responsibility for the attack.