CISA Admin Leaked AWS GovCloud Keys on Github
Source: Krebs on Security
CISA Contractor’s Public GitHub Repository Exposes Highly Privileged AWS GovCloud Credentials
Until this past weekend, a contractor for the Cybersecurity & Infrastructure Security Agency (CISA) maintained a public GitHub repository that exposed credentials to several highly privileged AWS GovCloud accounts and a large number of internal CISA systems. Security experts said the public archive included files detailing how CISA builds, tests, and deploys software internally, making it one of the most egregious government data leaks in recent history.
Discovery
On May 15, KrebsOnSecurity heard from Guillaume Valadon, a researcher with the security firm GitGuardian. GitGuardian continuously scans public code repositories for exposed secrets and automatically alerts offending accounts. Valadon said he reached out because the repository owner was not responding and the information exposed was highly sensitive.
The GitHub repository that Valadon flagged was named “Private‑CISA.” It contained a vast number of internal CISA/DHS credentials and files, including:
- Cloud keys
- Tokens
- Plain‑text passwords
- Logs
- Other sensitive CISA assets
Valadon noted that the commit logs show the CISA administrator disabled GitHub’s default secret‑detection feature, allowing SSH keys and other secrets to be published publicly.
“Passwords stored in plain text in a CSV, backups in git, explicit commands to disable GitHub secrets detection feature,” Valadon wrote.
“I honestly believed that it was all fake before analyzing the content deeper. This is indeed the worst leak that I’ve witnessed in my career. It is obviously an individual’s mistake, but I believe that it might reveal internal practices.”
Exposed Files
| File | Contents |
|---|---|
| importantAWStokens | Administrative credentials to three Amazon AWS GovCloud servers |
| AWS-Workspace-Firefox-Passwords.csv | Plain‑text usernames and passwords for dozens of internal CISA systems (e.g., “LZ‑DSO” – Landing Zone DevSecOps) |
| Various other files | Plain‑text credentials to CISA’s internal artifactory (code‑package repository) and numerous internal resources |
Expert Commentary
Philippe Caturegli, founder of the security consultancy Seralys, tested the AWS keys to see whether they were still valid and to determine which internal systems the exposed accounts could access.
- The exposed credentials authenticated to three AWS GovCloud accounts at a high‑privilege level.
- The archive also includes plain‑text credentials to CISA’s internal artifactory, a prime target for attackers seeking persistent footholds.
“That would be a prime place to move laterally. Backdoor in some software packages, and every time they build something new they deploy your backdoor left and right.” – Caturegli
Caturegli observed that the repository’s metadata suggests it was used as a scratchpad or synchronization mechanism rather than a curated project:
“The use of both a CISA‑associated email address and a personal email address suggests the repository may have been used across differently configured environments. The available Git metadata alone does not prove which endpoint or device was used.”
He also noted that many passwords followed a predictable pattern (e.g., “), a serious security risk even if the credentials had never been exposed.
CISA Response
A spokesperson for CISA confirmed that the agency is aware of the exposure and is investigating.
“Currently, there is no indication that any sensitive data was compromised as a result of this incident. While we hold our team members to the highest standards of integrity and operational awareness, we are working to ensure additional safeguards are implemented to prevent future occurrences.”
Contractor & Timeline
- The “Private CISA” repository was maintained by a contractor employed by Nightwing, a government contractor based in Dulles, VA. Nightwing declined comment, directing inquiries to CISA.
- Repository creation date: 13 Nov 2025
- Contractor’s GitHub account creation: Sept 2018
- The GitHub account was taken offline shortly after KrebsOnSecurity and Seralys notified CISA.
- Despite the takedown, the exposed AWS keys remained valid for another 48 hours.
Key Takeaways
- Disabling secret‑detection features on public repositories can lead to massive data leaks.
- Plain‑text storage of credentials (CSV files, backups in Git) is a textbook example of poor security hygiene.
- Predictable passwords dramatically increase the risk of lateral movement by threat actors.
- Rapid remediation (removing the repo, rotating keys) is essential, but the window of exposure can still be exploited.
This article is a cleaned‑up version of the original markdown content, preserving the structure and all factual information.
“... to synchronize files between a work laptop and a home computer, because he has regularly committed to this repo since November 2025,” Caturegli said. “This would be an embarrassing leak for any company, but it’s even more so in this case because it’s CISA.”