Root Access: Behind the scenes of the CISA GitHub leak with security researcher Philippe Caturegli
If you’re a regular reader of Root Access, you know the column offers a behind-the-scenes look into the important, yet often underappreciated world of IT with a focus on the dedicated professionals who make everything in our connected, digital world possible.
In a recent Root Access article on discovering your career sweet spot, I discussed a key to unlocking job happiness: Finding the overlap between what you love doing, what you excel at, and what employers and clients are willing to pay for.
Recently I had the opportunity to chat with a prominent security researcher who embodies this concept, operating in a career sweet spot that aligns across all three dimensions in the hot cybersecurity job market.
READ MORE: Why 6G demands a network infrastructure and security overhaul?
Meet Philippe Caturegli, penetration tester.
Philippe Caturegli is a self-described “Chief Hacking Officer” who followed his curiosity into a role as a sysadmin before pursuing his passion for offensive security, a.k.a. penetration testing.
As part of his work running his security firm Seralys, Caturegli regularly investigates vulnerabilities, leaks, and breaches. His work in the field has led to collaborations with prominent names in security, including Kevin Mitnick and Brian Krebs.
Recently, Caturegli was a key player in the investigation of the leak of data and credentials belonging to the Cybersecurity and Infrastructure Security Agency (CISA), which ironically is the U.S. government agency whose mission is to “lead the national effort to understand, manage, and reduce risk to our cyber and physical infrastructure.”
So what lessons can we learn from this incident, where the organization that’s supposed to keep everyone safe from cyberthreats made a serious security blunder? Find out in this edition of Root Access, the first in a multi-part series containing insights from my interview with penetration tester Philippe Caturegli.
Behind the scenes of the 2026 CISA leak
The story of the CISA leak broke on the prominent security news site, Krebs on Security. In May 2026, Krebs reported: “A contractor for the Cybersecurity & Infrastructure Security Agency (CISA) maintained a public GitHub repository that exposed credentials to several highly privileged AWS GovCloud accounts and a large number of internal CISA systems.” The leak included, among other things, numerous passwords in plain text.
READ MORE: The hidden network cost of going all-in on AI
Krebs didn’t come to this conclusion alone. While he’s a skilled journalist with a strong grasp of security (not to mention a well-received SpiceWorld keynote speaker, way back in 2019) who reports on the topic in a factual, interesting, and informative way, for the deep technical validation these investigations require, he often leans on security experts like Philippe Caturegli.
Caturegli didn’t initially discover the CISA leak; that was Guillaume Valadon of GitGuardian, a platform that monitors public GitHub commits via real-time APIs. But because GitGuardian doesn’t do penetration testing, Caturegli was called in to play an instrumental role in investigating the issue further.
Per my interview with Caturegli: “Krebs reached out for help because I did some work with him before… on internal domain collision.” This time around, when Caturegli dug deeper on the CISA leak, he found sloppy work and carelessness on the part of the contractor. “I wanted to confirm how bad it was and if it was actually legit. It was so bad that initially we thought that either CISA was already compromised and somebody pushed like all their secrets or it was just a fake… so I tested them, and I realized that there was a lot of access, and it was totally legit, and it was actually an employee that used GitHub as kind of a backup and leaked all their secrets without realizing. I think they never realized that the repo was public.” (Editor’s note: On July 9, 2026, CISA issued a public statement regarding the incident.)
When I asked Caturegli more about the nature of this repository, the situation sounded even worse because the personal docs of the employee working for the contractor were also exposed on GitHub: “He had his pay slips in there, internal documentation, his health insurance, his W2. So it was not only secrets from CISA, it was pretty much a backup of his laptop, of his personal files.”
This retelling doesn’t capture the severity of this leak. In his own LinkedIn post, Caturegli didn’t hold back: “I have seen a lot of bad leaks in public GitHub repos since Eric Fourrier and Jérémy Thomas founded GitGuardian in 2017, but I think this one takes the gold medal.”
How bad was it? In a follow-up article four days after the initial report of the leak, Krebs reported that the “CISA repo showed the contractor also used easily-guessed passwords for a number of internal resources; for example, many of the credentials used a password consisting of each platform’s name followed by the current year. Caturegli said such practices would constitute a serious security threat for any organization even if those credentials were never exposed externally.”
Worse, according to Krebs, “the commit logs for the code repository showed the CISA contractor disabled GitHub’s built-in protection against publishing sensitive credentials in public repos.”
Why did CISA drop the ball so badly?
How could an organization dedicated to protecting individuals from cybersecurity threats make such big security blunders itself? And what lessons can we learn from this case, where those tasked with safeguarding a nation from cyberthreats itself don’t follow their own best practices?
Krebs weighed in on a potential root cause: “CISA is currently operating with only a fraction of its normal budget and staffing levels. The agency has lost nearly a third of its workforce since the beginning of the second Trump administration, which forced a series of early retirements, buyouts, and resignations across the agency’s various divisions.”
When I asked Caturegli about this situation, he offered additional nuance on how budget and staffing cuts likely affected CISA, and he thinks a lack of oversight seems a likely culprit: “If nobody’s there to police what the contractors are doing, I mean, they (the contractors) don’t care, they just want to do their job and then move on to the next one.”
Caturegli also mentioned that the particular security contractor tied to the CISA leak, Nightwing, had a history of having to pay fines for non-compliance with security practices. In May 2025, Nightwing (along with its former parent, RTX) agreed to pay $8.4 million to resolve U.S. Department of Justice False Claims Act allegations that they failed to meet cybersecurity requirements on federal contracts. He also suspects that this wasn’t just a one-off issue where one individual made a mistake, it was likely a more systemic problem and a lack of care.
In our interview, Caturegli commented: ”Honestly, looking at the log or the repo, there’s this one user that made a mistake. But you could see that there were some configuration files from another user… They are sharing files left and right and passwords in clear text, and everybody has access, which I understand… it’s a contractor. They just want to do the job as fast as possible so they can make more profit.”
CISA’s delayed response to their data leak
Finding a leak or breach is only half the battle. As a security professional, the next step is helping the organization after the fact, or in some cases, convincing them that they need to do something about it at all.
In my chat with Caturegli, he said that one of the most frustrating parts of being a security researcher when privately reporting a security issue to an affected party is when that party doesn’t take steps to fully remediate it in a timely fashion.
This was the case with CISA. When GitGuardian initially tried to report the leak to CISA, according to Caturegli, “They didn’t do anything. So, he reached out to Krebs, and then Krebs reached out to me.”
Recognizing the severity of the leak, Caturegli and Krebs both reached out to personal contacts within CISA. And Caturegli made sure that his message contained a strong enough signal to cut through the noise of notifications CISA must receive every day to compel them to take action: “When I sent the screenshots to my contact at CISA with all the internal EC2 instances and the S3 buckets, it definitely got more attention and faster remediation.” Note: Caturegli is quick to point out that part of his ethical research process is to only save metadata from the leaks he discovers (e.g., usernames, machine names, and IP addresses) to demonstrate the severity and risk of an issue, but not the actual content or the data.
Now aware of the risk and escalating the issue through the right channels, when CISA started with remediation efforts, they still dragged their feet. According to Krebs: “The GitHub account that included the private CISA repo was taken offline shortly after both KrebsOnSecurity and Seralys notified CISA about the exposure. But Caturegli said the exposed AWS keys inexplicably continued to remain valid for another 48 hours.”
And the delays went on even longer than that, which is dangerous, because anyone could have saved the files with the then-still-valid credentials posted to GitHub. According to Caturegli, “God knows who else had a copy of this repo. Obviously there were some other people because after the first article from Krebs, other people reached out to say, ‘Hey, this key is still valid a week later.’ So we knew that other people mirrored or copied the repo as well.”
Lessons learned from the breach: Advice for IT professionals
In summary, the CISA incident is an example of multiple systemic failures leading to a leak of some of an organization’s most valuable secrets. Employees working for a contractor were sharing clear-text credentials, using insecure passwords, and mixing personal information with sensitive company data. Then, when CISA was made aware of the leak and their compromised credentials, they were slow to act, with some resources remaining compromised for days or even weeks, at which point people with the credentials could have accessed key accounts.
Worse, CISA is a government agency whose reason for existing is to help organizations to better protect their data and secure their environments. The fact that the organization that is supposed to teach everyone how to reduce cybersecurity risk failed to practice what it preaches shows that leaks can happen to anyone, but it doesn’t inspire confidence as budget cuts diminish the agency’s capabilities.
In the words of Philippe Caturegli himself: “This would be an embarrassing leak for any company, but it’s even more so in this case because it’s CISA.”
In closing, Caturegli offers a key piece of advice for IT professionals. If your organization is caught in a similar situation where credentials are leaked, in order to avoid the same remediation delays and pitfalls CISA encountered, Caturegli emplores you to “revoke all your keys.” Make sure that all your secrets cannot be used, because that’s most critical. If you change the keys, it’s okay. (Hackers might) have the repo with the passwords, but the passwords are no longer valid.”
This article was originally published on July 1, 2026. It was last updated on July 9, 2026.