CISA Contractor Leaked AWS GovCloud Keys on GitHub

The Worst Leak I’ve Witnessed

Sometimes the most damaging cybersecurity failures come not from sophisticated nation-state adversaries but from the mundane mistakes of trusted insiders. That lesson was driven home again this past weekend when security researchers discovered that a contractor for the U.S. Cybersecurity and Infrastructure Security Agency (CISA) had been maintaining a public GitHub repository filled with highly sensitive credentials — including administrative keys to three AWS GovCloud accounts and plaintext passwords for dozens of internal systems.

The repository, ironically named “Private-CISA,” was discovered by Guillaume Valadon, a researcher at the secrets-scanning firm GitGuardian. His company automatically scans public repositories for exposed credentials and alerts the offending accounts. In this case, the account owner never responded — and the exposed data was extraordinary.

“I honestly believed that it was all fake before analyzing the content deeper,” Valadon wrote in an email to KrebsOnSecurity. “This is indeed the worst leak that I’ve witnessed in my career.”

What Was Exposed

The scope of the exposure was staggering. Among the files in the public repository:

– AWS GovCloud administrative credentials for three separate accounts, stored in a file titled importantAWStokens – Plaintext usernames and passwords for dozens of internal CISA systems, recorded in AWS-Workspace-Firefox-Passwords.csv – Credentials to CISA’s internal “artifactory” — the repository of all code packages used to build agency software – Access to LZ-DSO, which appears short for “Landing Zone DevSecOps,” CISA’s secure code development environment

Philippe Caturegli, founder of the security consultancy Seralys, independently validated the exposure. He confirmed that the leaked credentials could authenticate to three AWS GovCloud accounts at a high privilege level. The artifactory access, he noted, would represent a particularly dangerous vector for lateral movement by attackers.

“That would be a prime place to move laterally,” Caturegli told KrebsOnSecurity. “Backdoor in some software packages, and every time they build something new they deploy your backdoor left and right.”

Textbook Poor Security Hygiene

What makes the incident particularly egregious is that the CISA contractor actively disabled GitHub’s built-in secret detection feature before committing the sensitive files. The commit logs show an explicit command to bypass GitHub’s default push protection, which normally blocks users from publishing SSH keys or other secrets to public repositories.

“Passwords stored in plain text in a CSV, backups in git, explicit commands to disable GitHub secrets detection feature,” Valadon noted, summarizing the cascade of failures.

The password hygiene was equally troubling. According to Caturegli, many credentials followed a predictable pattern: the platform name followed by the current year. Such practices would pose a serious security risk for any organization, even if the credentials remained internal — threat actors routinely harvest internally-exposed keys to expand their reach after gaining initial access.

The repository was created on November 13, 2025, meaning the credentials sat exposed for roughly six months before discovery. The contractor’s GitHub account itself dated back to September 2018.

Slow Response After Discovery

Once KrebsOnSecurity and Seralys notified CISA about the exposure, the GitHub repository was taken offline. But the exposed AWS keys continued to remain valid for another 48 hours — an inexplicable delay that suggests gaps in CISA’s incident response playbook.

CISA issued a measured statement: “Currently, there is no indication that any sensitive data was compromised as a result of this incident. While we hold our team members to the highest standards of integrity and operational awareness, we are working to ensure additional safeguards are implemented to prevent future occurrences.”

The contractor in question was identified as an employee of Nightwing, a government contractor based in Dulles, Virginia. Nightwing declined to comment, redirecting all inquiries to CISA.

An Agency Under Strain

The incident arrives at a difficult moment for CISA. The agency has lost nearly a third of its workforce since the beginning of the second Trump administration, driven by a series of early retirements, buyouts, and resignations across various divisions. Staffing reductions of this magnitude inevitably affect an agency’s ability to maintain rigorous security practices, oversee contractors, and respond to incidents with the speed that crisis demands.

This is not the first time CISA has been in the spotlight for security concerns. Earlier this year, the agency flagged Cisco SD-WAN vulnerabilities requiring urgent patching — a reminder that the agency responsible for defending federal networks must also defend its own digital perimeter.

Broader Lessons for Government IT

The CISA leak underscores several uncomfortable truths about government cybersecurity:

Insider risk is asymmetric. A single contractor’s poor judgment can expose more attack surface than a year of nation-state probing. The “Private-CISA” repo was not the result of a sophisticated breach — it was an individual using GitHub as a personal synchronization mechanism between work and home machines.

Secrets scanning is non-negotiable. Organizations of any size should enforce automated secrets detection across all repositories, with mandatory blocking on push — not optional, and certainly not bypassable at the individual developer level.

Incident response speed matters. Allowing compromised credentials to remain valid for 48 hours after discovery is unacceptable. The gap between detection and rotation should be measured in minutes, not days. This is a similar pattern to what we discussed in our analysis of Microsoft’s Azure vulnerability disclosure delays, where slow response and opaque communication eroded trust in cloud providers.

Staffing cuts have security consequences. When agencies lose a third of their workforce, institutional knowledge, contractor oversight, and security review capacity all degrade. The connection between staffing and security incidents is rarely linear, but it is real.

What Comes Next

CISA has not disclosed how long the credentials were actively exposed beyond the November 2025 repository creation date, nor whether forensic analysis has been conducted on potential unauthorized access to the GovCloud accounts during that window. The agency’s assurance that “no sensitive data was compromised” should be viewed as preliminary until a full audit is completed.

For security teams reading this, the CISA leak is a case study in what not to do — but also a reminder that the same vulnerabilities likely exist in your own organization. When was the last time you scanned your public repositories for secrets? When was the last time you rotated keys that might have been accidentally exposed? In our earlier coverage of the NGINX heap overflow exploitation, we emphasized that the gap between vulnerability discovery and active exploitation is shrinking. The same urgency applies to credential management.

The irony is difficult to miss: the agency entrusted with protecting America’s critical infrastructure from cyber threats was itself exposed by a contractor who disabled security warnings and committed plaintext passwords to a public repository. If CISA can make this mistake, anyone can.

🔗 Related Articles

Discover more from Susiloharjo

Subscribe to get the latest posts sent to your email.