Feed aggregator

POWELL, Ohio (WCMH) -- Agents executed a search warrant Monday morning at a spa in Powell. The warrant stemmed from a "months-long investigation" into suspected illegal activity at K Spa on North Liberty Street, according to city officials. The Central Ohio Human Trafficking Task Force, Powell police, the Ohio Bureau of Criminal Investigation and the [...]

COLUMBUS, Ohio (WCMH) -- Columbus City Schools annoucned $60 million in summer capital improvements across neighborhood schools. The projects include renovations, playground updates, HVAC updates, classroom updates, parking lot improvements, and sustainability updates. “You also have to take care of your learning spaces, your buildings and operations, and so because of the previous levy, the [...]

COLUMBUS, Ohio (WCMH) -- The Columbus Division of Police is investigating another fatal hit-and-run this past weekend on Cleveland Avenue. The crash happened on Saturday night in a portion of Cleveland Avenue, a location the city has been trying to make safer for pedestrians. Amy Price has lived in her Cleveland Avenue home for 13 [...]

COLUMBUS, Ohio (WCMH) -- Two state lawmakers have proposed new legislation requiring a government warning label to be displayed on social media platforms with addictive properties.  House Bill 808 -- sponsored by state Representatives Christine Cockley (D-Columbus) and Jodi Salvo (R-Bolivar) -- defines an addictive social media platform as one that heavily relies on push [...]

COLUMBUS, Ohio (WCMH) -- High prices at the gas pump and the grocery store could have people re-thinking their Memorial Day weekend travel plans. AAA said Ohio specifically is looking at about 1.7 million people traveling with more than 1.5 million people traveling by car. The auto club said those numbers are similar to last [...]

COLUMBUS, Ohio (WCMH) -- Clay Jones loves the Buckeyes, and when he looks at Ohio Stadium, that love bursts out. "You can feel it through your body. It's a rush,” Jones said. "It's just a great feeling to be a Buckeye and to be a part of all this; it's an amazing feeling that empowers [...]

Until this past weekend, a contractor for the Cybersecurity & Infrastructure Security Agency (CISA) maintained a public GitHub repository that exposed credentials to several highly privileged AWS GovCloud accounts and a large number of internal CISA systems. Security experts said the public archive included files detailing how CISA builds, tests and deploys software internally, and that it represents one of the most egregious government data leaks in recent history.

On May 15, KrebsOnSecurity heard from Guillaume Valadon, a researcher with the security firm GitGuardian. Valadon’s company constantly scans public code repositories at GitHub and elsewhere for exposed secrets, automatically alerting the offending accounts of any apparent sensitive data exposures. Valadon said he reached out because the owner in this case wasn’t responding and the information exposed was highly sensitive.

A redacted screenshot of the now-defunct “Private CISA” repository maintained by a CISA contractor.

The GitHub repository that Valadon flagged was named “Private-CISA,” and it harbored a vast number of internal CISA/DHS credentials and files, including cloud keys, tokens, plaintext passwords, logs and other sensitive CISA assets.

Valadon said the exposed CISA credentials represent a textbook example of poor security hygiene, noting that the commit logs in the offending GitHub account show that the CISA administrator disabled the default setting in GitHub that blocks users from publishing SSH keys or other secrets in public code repositories.

“Passwords stored in plain text in a csv, backups in git, explicit commands to disable GitHub secrets detection feature,” Valadon wrote in an email. “I honestly believed that it was all fake before analyzing the content deeper. This is indeed the worst leak that I’ve witnessed in my career. It is obviously an individual’s mistake, but I believe that it might reveal internal practices.”

One of the exposed files, titled “importantAWStokens,” included the administrative credentials to three Amazon AWS GovCloud servers. Another file exposed in their public GitHub repository — “AWS-Workspace-Firefox-Passwords.csv” — listed plaintext usernames and passwords for dozens of internal CISA systems. According to Caturegli, those system included one called “LZ-DSO,” which appears short for “Landing Zone DevSecOps,” the agency’s secure code development environment.

Philippe Caturegli, founder of the security consultancy Seralys, said he tested the AWS keys only to see whether they were still valid and to determine which internal systems the exposed accounts could access. Caturegli said the GitHub account that exposed the CISA secrets exhibits a pattern consistent with an individual operator using the repository as a working scratchpad or synchronization mechanism rather than a curated project repository.

“The use of both a CISA-associated email address and a personal email address suggests the repository may have been used across differently configured environments,” Caturegli observed. “The available Git metadata alone does not prove which endpoint or device was used.”

The Private CISA GitHub repo exposed dozens of plaintext credentials for important CISA GovCloud resources.

Caturegli said he validated that the exposed credentials could authenticate to three AWS GovCloud accounts at a high privilege level. He said the archive also includes plain text credentials to CISA’s internal “artifactory” — essentially a repository of all the code packages they are using to build software — and that this would represent a juicy target for malicious attackers looking for ways to maintain a persistent foothold in CISA systems.

“That would be a prime place to move laterally,” he said. “Backdoor in some software packages, and every time they build something new they deploy your backdoor left and right.”

In response to questions, a spokesperson for CISA said the agency is aware of the reported exposure and is continuing to investigate the situation.

“Currently, there is no indication that any sensitive data was compromised as a result of this incident,” the CISA spokesperson wrote. “While we hold our team members to the highest standards of integrity and operational awareness, we are working to ensure additional safeguards are implemented to prevent future occurrences.”

A review of the GitHub account and its exposed passwords show the “Private CISA” repository was maintained by a contractor employed by Nightwing, a government contractor based in Dulles, Va. Nightwing declined to comment, directing inquiries to CISA.

CISA has not responded to questions about the potential duration of the data exposure, but Caturegli said the Private CISA repository was created on November 13, 2025. The contractor’s GitHub account was created back in September 2018.

The GitHub account that included the Private CISA repo was taken offline shortly after both KrebsOnSecurity and Seralys notified CISA about the exposure. But Caturegli said the exposed AWS keys inexplicably continued to remain valid for another 48 hours.

The now-defunct Private CISA repo showed the contractor also used easily-guessed passwords for a number of internal resources; for example, many of the credentials used a password consisting of each platform’s name followed by the current year. Caturegli said such practices would constitute a serious security threat for any organization even if those credentials were never exposed externally, noting that threat actors often use key credentials exposed on the internal network to expand their access after establishing initial access to a targeted system.

“What I suspect happened is [the CISA contractor] was using this GitHub to synchronize files between a work laptop and a home computer, because he has regularly committed to this repo since November 2025,” Caturegli said. “This would be an embarrassing leak for any company, but it’s even more so in this case because it’s CISA.”

COLUMBUS, Ohio (WCMH) -- NBC4 Investigates has been digging into how much money Franklin County has spent so far on two trials of former deputy Jason Meade in the death of Casey Goodson Jr. The answer is more than half a million dollars. Meade’s first trial in 2024 ended with a hung jury. His second [...]

COLUMBUS, Ohio (WCMH) — The end of an east Columbus apartment complex that was shut down to its residents on Christmas in 2022 has officially begun. Demolition crews were spotted Monday morning at the now-vacant Latitude Five25 towers on Sawyer Boulevard. The demolition is the first movement toward a $150 million affordable housing complex, which [...]

COLUMBUS, Ohio (WCMH) -- OhioHealth has cleared another hurdle in its plan for the former Big Lots headquarters in northeast Columbus, though the health system has yet to announce what it wants to do with the property. Columbus City Council voted on May 11 to approve a zoning change for the 24-acre site at 4900 [...]

COLUMBUS, Ohio (WCMH) – A Mexican restaurant, a dessert store and a brunch eatery are preparing to launch inside a retail center near New Albany and Gahanna. The Commons at Hamilton Quarter is located off Old Hamilton Road in northeast Columbus, just south of Culver’s and west of the Hamilton Quarter shopping development. Built in [...]

Central Ohio is hosting a variety of Memorial Day events, including parades, ceremonies, and open houses, to honor the men and women who have died in military service.

COLUMBUS, Ohio (WCMH) — An 11-year-old girl who was struck while crossing a busy west Columbus road died over the weekend, police reported. According to an updated incident report, 11-year-old Scarlett Hightower died at a hospital Friday night, two days after being struck by a vehicle on Hilliard Road Road, near the intersection of Hilliard [...]

COLUMBUS, Ohio (WCMH) -- Although public polling for Ohio's Senate and governor's races in an effective tie, a new poll found state legislators predict Ohio will vote Republican. Gongwer-Worth surveys members of Ohio's General Assembly to get their perspectives on state politics. A new Gongwer-Worth poll published last week surveyed nearly 50 Ohio legislators on [...]

COLUMBUS, Ohio (WCMH) — For the second consecutive week, Columbus motorists experienced cheaper gas prices, but overall prices remain far from cheap throughout the state and country. According to According to GasBuddy’s survey of 500 stations in and around Columbus, Ohio, gas prices fell by 21.7 cents per gallon last week, to average out at [...]

COLUMBUS, Ohio (WCMH) – The Ohio Senate has unanimously passed a bill that would ban landlords and homeowners associations from prohibiting thin blue line flags.  Senate Bill 202, sponsored by Sen. Tim Schaffer (R-Lancaster), cleared the Senate on Wednesday and now moves to the House for further consideration. Under the legislation, HOAs, condominium associations, landlords, [...]

CIRCLEVILLE, Ohio (WCMH) — One person is dead, another is in critical condition after they were thrown off of a motorcycle after a crash in Pickaway County. The crash occurred Sunday afternoon at 2:51 p.m. when Ohio State Highway Patrol troopers were alerted to the intersection of SR-159 and Kingston Adelphi Road in Kingston, which [...]

COLUMBUS, Ohio (WCMH) -- A proposal at the Ohio Statehouse would bar public officials and government employees from participating in prediction markets. Rep. Sean Brennan (D-Parma) introduced House Bill 887 this month. The proposal, titled the "Ohio Public Employee Event-Wagering Ethics Act," would amend the state's ethics laws to ban public officials and employees from [...]

• Trump and the CEOs go to China
• NVIDIA CEO joins Trump in China despite 'awkward' politics
• US clears H200 chip sales to 10 China firms as Nvidia CEO looks for breakthrough
• Empty Waymos invade Atlanta neighborhood, circle cul-de-sac for hours with no passengers
• The Class of 2026 is cooked
• Chinese AI groups pull ahead of US rivals in video generation race
• Google Weighs Using SpaceX to Launch Orbital Data Centers
• What smart people are saying about OpenAI's new $10 billion company to help businesses deploy AI
• Bitcoin trader recovers $400,000 using Claude AI after getting 'stoned' and losing wallet password 11 years ago — bot tried 3.5 trillion passwords before decrypting an old wallet backup
• Your Mattress Got Worse on Purpose

Host: Leo Laporte

Guests: Harper Reed and Amy Webb

Download or subscribe to This Week in Tech at https://twit.tv/shows/this-week-in-tech

Join Club TWiT for Ad-Free Podcasts!
Support what you love and get ad-free audio and video feeds, a members-only Discord, and exclusive content. Join today: https://twit.tv/clubtwit

Sponsors:

• threatlocker.com/twit
• scribe.how/twit
• shopify.com/twit
• box.com/AI
• NetSuite.com/TWIT