CISA Contractor Exposed AWS GovCloud Credentials in Public GitHub Repo
A CISA contractor left highly privileged AWS GovCloud credentials and internal system details exposed in a public GitHub repository until May 2026, in what experts call one of the most egregious government data leaks in recent history.
A contractor working for the Cybersecurity and Infrastructure Security Agency (CISA) maintained a public GitHub repository until this past weekend that exposed credentials to several highly privileged AWS GovCloud accounts and a large number of internal CISA systems. Security experts described the public archive as including files detailing how CISA builds, tests, and deploys software internally, representing one of the most egregious government data leaks in recent history.
The repository contained credentials granting access to AWS GovCloud environments, which are specifically designed for U.S. government agencies to host sensitive data and workloads subject to compliance requirements. The exposed credentials could have allowed an attacker to access, modify, or exfiltrate data from these critical cloud environments, potentially compromising national security systems.
Beyond the AWS GovCloud credentials, the repository also exposed access to numerous internal CISA systems. The leaked files reportedly included detailed documentation of CISA's internal software development lifecycle, including build processes, testing procedures, and deployment pipelines. This level of detail could provide adversaries with a blueprint for understanding and exploiting CISA's operational security posture.
The breach was discovered and reported before the repository was taken down, but the duration of exposure remains unclear. The incident highlights the persistent risk of credential leakage through public code repositories, a problem that has plagued both private sector organizations and government agencies for years. Automated scanning tools and manual oversight have repeatedly failed to catch such exposures in time.
CISA has not yet issued a public statement regarding the incident, and it is unknown whether the contractor faces disciplinary action or whether the exposed credentials have been rotated. The agency's own mission to secure federal networks and critical infrastructure makes this breach particularly ironic and damaging to its credibility.
This incident follows a pattern of high-profile credential leaks from government contractors and agencies. In recent years, similar exposures have occurred at the Department of Defense, the National Security Agency, and various state-level agencies. The recurrence of such incidents suggests systemic failures in credential management and repository governance across the federal government.
The exposure of AWS GovCloud credentials is especially concerning given the platform's role in hosting sensitive government workloads. GovCloud environments are subject to FedRAMP and other compliance frameworks, but those frameworks do not prevent contractors from accidentally exposing credentials in public repositories. The incident underscores the need for automated credential scanning, mandatory repository access controls, and stricter oversight of contractor security practices.
The new article adds that lawmakers from both houses of Congress — including Sen. Maggie Hassan and Rep. Bennie Thompson — have formally demanded answers from CISA Acting Director Nick Andersen, citing risks to critical infrastructure and concerns about the agency's diminished security culture following workforce attrition. Additionally, KrebsOnSecurity reports that more than a week after the leak was disclosed, CISA still had not invalidated an exposed RSA private key granting full access to the CISA-IT GitHub organization's code repositories, with the key apparently rotated only after a second notification from security researcher Dylan Ayrey. The article also reveals that the Private-CISA repository was created in November 2025, and that cybercrime groups or foreign adversaries likely spotted the exposed secrets on GitHub's public event firehose.