Chris Hughes’ newsletter today started with this discussion of something I’d read about this week, but didn’t realize the full implications of:
I want to be careful about how I frame this because it is genuinely painful. A contractor working for Nightwing, based in Dulles, Virginia, maintained a public GitHub repository called “Private-CISA” from November 2025 through mid-May 2026.
The repository contained AWS GovCloud administrative credentials, dozens of internal CISA system usernames and passwords in plaintext, and files literally named “importantAWStokens.”
The administrator had disabled GitHub’s default secret detection. GitGuardian researcher Guillaume Valadon called it “the worst leak that I’ve witnessed in my career.” Congress is now demanding a classified briefing.
For the agency responsible for securing federal cybersecurity infrastructure, this is the kind of incident that erodes institutional credibility. The exposed credentials were reportedly still valid 48 hours after the repository was taken down. As I have been writing since Cybersecurity First Principles, the basics remain the hardest part. No amount of frontier AI capability matters if the people operating the infrastructure leave the keys in the open.
Tom Alrich’s Blog, too is a reader-supported publication. You can view new posts for two months after they come out by becoming a free subscriber. You can also access all my 1300 existing posts dating back to 2013, as well as support my work, by becoming a paid subscriber for $30 for one year (and if you feel so inclined, you can donate more than that or become a founding subscriber for $100). Whichever option you choose, please subscribe.
If you would like to comment on what you have read here, I would love to hear from you. Please comment in my chat or email me at [email protected].