CMI Management Leak Exposed U.S. Military Base Files in Public Directory
A publicly accessible directory tied to U.S. government contractor CMI Management Inc. exposed more than 70,000 files linked to U.S. military installations and personnel. Reports say the contractor, which provides facility management services to the U.S. Army, left records openly available for months through an open directory listing, allowing access to sensitive material including personnel records, contractor documents, maintenance forms, emails, schematics, and photographs taken inside military bases.
The leak created risks including phishing, impersonation, and intelligence gathering against military facilities and staff. Researcher Arkadeep Roy reportedly alerted CISA in 2024 after the exposure was identified following a tip to Cybernews, but the files remained accessible as recently as March 2026, underscoring how long-lived misconfigurations at defense contractors can leave operationally sensitive government data exposed.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Media reports detail prolonged exposure of military-related contractor data
On May 7-8, 2026, news reports disclosed that CMI Management, a U.S. government contractor supporting the Army, had exposed sensitive data connected to U.S. military installations through a misconfigured public-facing directory.
CMI Management military-linked files remain publicly accessible
Despite the 2024 notification, the exposed directory remained accessible for months and was still publicly reachable as of March 2026. The leak reportedly included more than 70,000 files such as schematics, personnel records, maintenance forms, emails, contractor records, and photos from inside military bases.
Researcher reports exposed CMI Management directory to CISA
Security researcher Arkadeep Roy notified CISA in 2024 after identifying an open directory listing exposing sensitive CMI Management files tied to U.S. military installations and personnel.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
CISA Contractor GitHub Repository Exposed AWS GovCloud Keys and Internal Credentials
A public GitHub repository tied to a contractor supporting the U.S. Cybersecurity and Infrastructure Security Agency (**CISA**) exposed plaintext passwords, access tokens, cloud keys, logs, spreadsheets, and deployment files that could provide access to CISA and Department of Homeland Security internal and cloud systems. Researchers from GitGuardian and Seralys reported that the repository, named **"Private-CISA"**, contained administrative credentials for three AWS GovCloud accounts as well as numerous credentials for internal CISA systems; some of the exposed secrets were verified as valid. The repository was reportedly linked to a Nightwing employee and appears to have been used as an informal working scratchpad rather than a controlled code repository, with commit history indicating GitHub secret-scanning protections had been disabled. After alerts to the contractor reportedly went unanswered, the issue was escalated and the GitHub account was taken offline, but exposed AWS keys were said to remain valid for roughly 48 hours after disclosure. CISA said it is investigating and that it had no indication the credentials were abused, though the incident represents a significant security lapse at the federal agency responsible for civilian cybersecurity.
Jun 1, 2026
Schemata API Flaw Exposed Military Training Data and Service Member Records
Schemata, an AI-powered virtual training platform used by defense customers under active Department of Defense contracts, exposed cross-tenant data through API endpoints that lacked effective authorization checks. Researchers at Strix reported that a low-privilege account could access user listings, organization records, course information, training metadata, and direct AWS-hosted document links belonging to other tenants. The exposed material reportedly included confidential naval maintenance training content, Army field manuals covering explosive ordnance handling and tactical deployment, and service member records containing names, email addresses, enrollment details, and military base affiliations. Researchers said the same authorization failures also affected write-enabled routes, creating the potential for unauthorized modification or deletion of training courses. Strix disclosed the issue privately on **December 2, 2025** and said remediation took roughly 150 days despite repeated follow-ups; Schemata said it patched the exposed endpoints on **May 1, 2026**, found no evidence of third-party exploitation, and began working with cybersecurity consultants and government authorities. The exposure has intensified scrutiny of basic tenant-isolation controls and compliance obligations tied to protecting defense-related data, including **Controlled Unclassified Information** under `DFARS 252.204-7012` and **CMMC** requirements.
Jun 8, 2026
KnownSec Data Breach Exposes Chinese Cyber Tools and Global Target Lists
Chinese cybersecurity firm KnownSec suffered a significant data breach, resulting in the leak of over 12,000 internal documents. The files, briefly posted on GitHub before removal, reportedly include details on KnownSec's contracts with Chinese government and military entities, internal hacking tools, and a spreadsheet listing 80 overseas targets. Analysis of the leaked data suggests the presence of remote access trojans (RATs) capable of compromising Linux, Windows, macOS, iOS, and Android systems, with some tools able to extract data from popular messaging apps such as Telegram and Chinese platforms. The breach also exposed large datasets, including 95GB of Indian immigration data, 3TB of call records from South Korea's LG U Plus, and 459GB of Taiwanese road planning data. Security researchers and analysts have described the leak as an intelligence gold mine, providing rare insight into the operations of a major Chinese cyber contractor. While the exact motivation behind the leak remains unclear—whether it was the act of a disgruntled insider or an external hack-and-dump operation—the incident highlights the scale and scope of KnownSec's cyber activities, including its role in mapping foreign digital infrastructure and developing tools for state-sponsored operations. The exposure of these documents is likely to have significant implications for both Chinese cyber operations and the security of the affected international targets.
Mar 21, 2026