DMZ//THREAT INTEL
FEED ACTIVELAST SYNC: 06:03:37ZSOURCES: 14CRITICAL: 15
⚠ ACTIVE ALERTS
SYLVANITE CRITICAL — SYLVANITE is a newly named Dragos-tracked threat group identified as a dedicated… /// @MsftSecIntel CRITICAL — We are tracking TeamPCP (UNC6780) activity following the GitHub internal repository… /// @GossiTheDog CRITICAL — The GitHub / TeamPCP breach is now being monetized on BreachForums. Listing is up — $95k… /// @struppigel CRITICAL — SUPPLY CHAIN ALERT: Laravel-Lang PHP packages backdoored May 22-23 via hijacked GitHub… /// @MalwareHunterTeam CRITICAL — Seeing fresh DebugElevator stealer log batches already appearing for sale on Exploit.in —…
15Critical Threats
8Active CVEs
0IOCs Tracked
0New Advisories
INTEL FEED/ARCHIVE/DARK-WEB
DMZ INTEL DESK//FILED: 2026-05-26//08:44Z
HIGH#dark web

CISA Contractor (Nightwing) Exposed AWS GovCloud Admin Keys and Plaintext Credentials in Public GitHub Repo for Six Months

A CISA contractor at Nightwing maintained a public GitHub repository named 'Private-CISA' from November 13, 2025 to mid-May 2026 that contained 844MB of files including administrative credentials to three AWS GovCloud servers, plaintext usernames and passwords for dozens of internal CISA systems (including the LZ-DSO DevSecOps environment), access tokens for CISA's internal software artifactory, SSH keys, and internal build/deployment documentation. GitGuardian researcher Guillaume Valadon confirmed the credentials were live; security researcher Philippe Caturegli verified the AWS keys were still valid after the repo was taken down and warned that artifactory access could have enabled supply-chain backdoors in CISA's software builds. Congressional Democrats on the Homeland Security Committee have demanded a classified briefing, and CISA is investigating while stating no compromise has been confirmed — a 48-hour post-removal key validity window remains the most significant unresolved risk.

This intelligence brief has been compiled from open-source reporting and corroborated across multiple threat intelligence sources. Defenders should treat the high severity rating as a guide to prioritization within their environment.

For the latest indicators of compromise, formatted SIEM queries, and unredacted actor intelligence related to this brief, DMZ Operator subscribers receive automated IOC packages via email the moment new advisories are published.

FILED UNDER:
cisa · aws-govcloud · credential-exposure · github · nightwing · dhs · insider-risk · devsecops · cloud-credentials · supply-chain-risk
STAY AHEAD OF THREATS
Daily intel briefs and IOC packages — delivered to your inbox the moment a new advisory drops.
SUBSCRIBE — $29/MO →
SHARE BRIEF:✕ Post on Xin Share on LinkedIn

MORE FROM ARCHIVE

# DARK WEB
2026-05-25
The Gentlemen RaaS Internal Chats and Backend Data Leaked on Breached Forum — Rare Visibility Into 10% of 2026 Global Ransomware Victims, Affiliate Economics, and EDR-Killer Tooling
# DARK WEB
2026-05-24
Operation Saffron: Europol Seizes First VPN Used by 25+ Ransomware Groups, Captures Full User Database of 5,000+ Criminal Accounts After Covert Traffic Interception
# DARK WEB
2026-05-23
TripleX, CoinbaseCartel, Bashe Post Fresh Victims on Leak Sites — State Bank, Aerospace Avionics, Pharma Manufacturer Hit in 24-Hour Window
# DARK WEB
2026-05-22
ShinyHunters Confirms 600K-Record Salesforce Exfiltration from 7-Eleven; 9.4GB Archive Leaked After Ransom Refusal — Part of Ongoing SaaS CRM Campaign Hitting Dozens of Enterprises