CISA Contractor Exposed AWS GovCloud Admin Keys and Plaintext Passwords on Public GitHub Repo

A contractor working for the Cybersecurity and Infrastructure Security Agency maintained a public GitHub repository from November 2025 through May 15, 2026, that exposed administrative credentials to three AWS GovCloud accounts, plaintext passwords for dozens of CISA internal systems, and documentation detailing how the agency builds, tests, and deploys software internally. The repository was taken down shortly after researchers alerted CISA, but the exposed AWS keys remained active for an additional 48 hours following removal.

Affected Systems

The repository, named “Private-CISA,” was created on November 13, 2025 by a contractor employed by Nightwing, a government services firm headquartered in Dulles, Virginia. It contained:

• Three AWS GovCloud accounts with administrative-level access keys, stored in a file labeled importantAWStokens
• AWS-Workspace-Firefox-Passwords.csv — a plaintext spreadsheet containing usernames and passwords for dozens of CISA internal applications
• Credentials and configuration data for CISA’s LZ-DSO (Landing Zone DevSecOps) environment, the agency’s primary secure code development platform
• Access tokens and deployment logs for CISA’s internal Artifactory instance — the package repository used to distribute software components across agency development pipelines
• Documentation describing internal CI/CD processes, test environments, and deployment procedures

No CVE identifiers apply to this incident; the exposure was a credential and configuration leak, not a software vulnerability.

Discovery and Timeline

• November 13, 2025 — Contractor creates the “Private-CISA” GitHub repository under a personal account established in September 2018.
• May 15, 2026 — Researchers at GitGuardian and Seralys independently identify the live exposure.
• May 15, 2026 — GitGuardian researcher Guillaume Valadon and Seralys founder Philippe Caturegli notify CISA.
• Shortly after notification — GitHub repository is taken down.
• ~48 hours post-takedown — AWS GovCloud access keys are finally rotated and invalidated.

Technical Assessment

Security researchers who reviewed the repository before takedown flagged multiple compounding failures.

Valadon noted the contractor had explicitly disabled GitHub’s built-in secret scanning ↗ — a feature enabled by default on public repositories that flags and can auto-revoke detected credentials. Disabling that control removed the automated safety net that would normally have triggered immediate key invalidation.

Caturegli assessed the exposed Artifactory access as particularly high-risk. Artifactory serves as the distribution point for software packages consumed across CISA’s development environment; write access to that repository would allow an attacker to inject malicious components into the agency’s build pipeline — a classic software supply chain vector. Caturegli described it as “a prime place to move laterally” and to establish durable persistence inside agency systems.

Password hygiene in the leaked CSV was poor by any standard. Caturegli’s review showed credentials following predictable patterns — platform name followed by the current year — across multiple internal systems. That pattern substantially reduces the effective brute-force search space if an attacker had obtained the list without the filename context.

The repository appears to have been used as an ad hoc synchronization mechanism, with the contractor copying work materials to GitHub for access across personal and work machines. That explanation accounts for the breadth of credential types present: not a single system’s keys, but a working collection of everything the contractor accessed regularly.

Exposure Window and Risk

Six months of public availability on GitHub means the repository content was indexed by multiple third-party code-search platforms that continuously scrape public repositories, including services that specifically track secrets. An attacker with access to any such index would not have needed to find the repository organically. Whether the keys were accessed during the exposure window is not publicly confirmed.

The 48-hour gap between repository removal and key rotation is operationally significant. Deleting a repository does not invalidate live credentials; anyone who cloned or cached the content before takedown retained working keys throughout that window.

CISA Statement

CISA issued the following statement: “Currently, there is no indication that any sensitive data was compromised as a result of this incident. While we hold our team members to the highest standards of integrity and operational awareness, we are working to ensure additional safeguards are implemented to prevent future occurrences.”

Nightwing declined to comment.

Mitigation and Defender Actions

For organizations reviewing their own posture in response to this incident:

1. Audit GitHub secret scanning settings — Verify that secret scanning and push protection are enabled on all repositories, public and private. A developer-level override disabling scanning should not be possible without a log trail.
2. Automate credential rotation on public exposure — Establish automated pipelines that rotate cloud credentials immediately upon detection of a public leak, not after manual review. The 48-hour delay here represents a meaningful exposure window.
3. Restrict Artifactory and package repo write access — Apply least-privilege to internal artifact stores. Write access should be limited to CI/CD service accounts with short-lived tokens, not persistent personal credentials.
4. Scan for predictable password patterns — Password audits that check for platform_name + year patterns across enterprise directories identify systemic password hygiene failures before attackers do.
5. Monitor GitHub for organization-name strings — Services like GitGuardian, Trufflehog, and GitHub Advanced Security can continuously scan public repositories for strings matching internal system names, domain patterns, or IAM key prefixes.

Sources

KrebsOnSecurity — “CISA Admin Leaked AWS GovCloud Keys on Github” (May 18, 2026) Primary reporting on the incident. Includes researcher commentary from GitGuardian and Seralys, the CISA statement, and technical description of repository contents. URL: https://krebsonsecurity.com/2026/05/cisa-admin-leaked-aws-govcloud-keys-on-github/ ↗

CISA — Cybersecurity and Infrastructure Security Agency (official) Agency responsible for the affected infrastructure; source for official statement. URL: https://www.cisa.gov/ ↗