LIVE · cybersecurity feed
breach

Lawmakers Demand Answers as CISA Tries to Contain Data Leak

zeroday.news·47d ago

Lawmakers on Capitol Hill are demanding answers from the U.S. Cybersecurity & Infrastructure Security Agency (CISA) following a report that a contractor intentionally exposed a significant amount of sensitive agency data, including AWS GovCloud keys, on a public GitHub account. The breach has prompted an inquiry from both houses of Congress as CISA works to mitigate the fallout and revoke the compromised credentials.

The incident came to light when a CISA contractor, who had administrative access to the agency's code development platform, created a public GitHub profile named "Private-CISA." This profile contained plaintext credentials for numerous internal CISA systems. Security experts who examined the repository noted that the contractor had disabled GitHub's built-in safeguards designed to prevent the accidental publication of sensitive information in public repositories.

While CISA has acknowledged the data leak, the agency has not provided details on how long the exposed information remained accessible. However, analysis of the now-removed "Private-CISA" archive suggests it was established in November 2025 and appeared to function as a personal workspace or synchronization tool for an individual rather than a formal project repository.

In response to the breach, CISA issued a statement asserting that there is no indication of sensitive data compromise as a result of the incident. However, this statement has not quelled concerns from lawmakers. Senator Maggie Hassan, in a letter to CISA's Acting Director Nick Andersen, expressed serious reservations about how such a security lapse could occur within an agency tasked with protecting against cyber threats. She highlighted the incident's implications for CISA's internal policies and procedures, particularly in the context of ongoing cybersecurity threats targeting U.S. critical infrastructure.

Echoing these concerns, Representative Bennie Thompson, ranking member of the House Homeland Security Committee, and Representative Delia Ramirez, ranking member of the Subcommittee on Cybersecurity and Infrastructure Protection, also communicated their worries to CISA leadership. They suggested the incident might reflect a weakened security culture or inadequate oversight of contractor support, noting that adversaries like China, Russia, and Iran actively seek access to federal networks. The information exposed in the "Private-CISA" repository, they argued, could provide a roadmap for such actors.

More than a week after CISA was initially alerted to the leak by the security firm GitGuardian, the agency was reportedly still in the process of invalidating and replacing many of the exposed keys and secrets. Dylan Ayrey, creator of the open-source tool TruffleHog, which detects secrets in code, reported that a critical RSA private key granting access to a CISA enterprise-owned GitHub app remained un-invalidated. This key, he explained, provided broad access to all code repositories within the CISA-IT organization, allowing an attacker to read source code, deploy malicious code, and alter repository settings. CISA stated it was coordinating with vendors to rotate and invalidate any identified leaked credentials.

Ayrey's company, Truffle Security, monitors public code platforms for exposed secrets. He noted that while his company uses GitHub's public feed of code commits to identify and alert affected parties, malicious actors also monitor this data stream for vulnerabilities. The "Private-CISA" repository exposed dozens of plaintext credentials to critical CISA GovCloud resources, with some of the most sensitive disclosures appearing to have occurred in late April 2026. Ayrey indicated that evidence suggests attackers also monitor these public data feeds.

Experts suggest that while organizations can implement top-down policies to prevent employees from disabling GitHub's security features for official repositories, preventing individuals from using personal accounts for unauthorized data storage remains a challenge. This type of incident, they noted, may represent a human element issue rather than a purely technical one, especially if the contractor's actions occurred outside of CISA's managed environment and visibility.

breachcloud
← Back to latest

More News

view all →
zeroday.news · 3h ago·high

China-Linked APT Expands Arsenal With New ‘Leash’ Backdoors

A China-linked advanced persistent threat (APT) group, identified as LapDogs, has reportedly enhanced its malicious toolkit. Security researchers have observed the deployment of three new backdoors: LongLeash, DogLeash, and JarLeash, which are designed to compromise small office/home office (SOHO) routers.

zeroday.news · 3h ago·high

RedWing Android Spyware Sold as a Service on Telegram

A new Android spyware called RedWing is being offered as a service on Telegram, allowing less sophisticated attackers to compromise phones and steal banking information. Researchers have identified it as a polished malware-as-a-service operation with extensive documentation and a subscription model, potentially linked to Russian threat actors. RedWing employs fake login overlays, SMS interception, call forwarding, and even screen control to harvest credentials and conduct further malicious activities.

zeroday.news · 3h ago·high

Operationalizing Day Minus Seven: The Cloud-Native ROC

The article introduces the concept of a Risk Operations Center (ROC) as a necessary evolution for cybersecurity teams facing AI-driven threats. It argues that traditional risk management models are insufficient due to the speed at which AI can discover and exploit vulnerabilities, especially in cloud environments. A ROC, powered by platforms like Qualys Enterprise TruRisk Management (ETM), aims to unify disparate security findings, hyper-prioritize risks based on exploitability and business impact, and enable autonomous remediation to keep pace with attackers.

zeroday.news · 4h ago·critical

Ubiquiti Patches Critical UniFi Flaws Across Connect, Talk, Access, Protect, and OS

Ubiquiti has released security updates to address several critical vulnerabilities affecting its UniFi product line, including UniFi Connect, Talk, Access, Protect, and OS. These flaws could allow attackers to escalate privileges or execute arbitrary commands on affected devices. While no active exploitation has been reported for these specific vulnerabilities, the company has previously seen its UniFi OS and Edge OS products targeted by threat actors.

zeroday.news · 4h ago·high

Armored Likho Hits Government, Energy Sectors With BusySnake Stealer

Cybersecurity researchers have identified a new threat actor, dubbed Armored Likho, targeting government and energy sectors in Russia, Kazakhstan, and Brazil with a sophisticated phishing campaign. The operation utilizes a custom-built Python infostealer named BusySnake, designed to steal credentials, sensitive documents, and other high-value data. The attackers employ AI-generated payloads to obscure their activities and maintain persistence through various methods, including reverse SSH tunneling.

zeroday.news · 4h ago·critical

Attackers using Langflow flaw for credential harvesting (CVE-2026-55255)

CISA has issued a warning regarding a critical vulnerability (CVE-2026-55255) in the Langflow AI framework, which is being actively exploited by attackers. The flaw allows authenticated users to execute arbitrary flows belonging to other users, potentially leading to the theft of sensitive credentials and data exposure, especially in multi-tenant environments. US federal agencies have been mandated to patch this vulnerability by July 10th.