CISA Contractor Exposed AWS GovCloud Keys and Internal Credentials in Public GitHub Repo
A CISA contractor left highly sensitive AWS GovCloud administrative keys, plaintext passwords, and internal system details exposed in a public GitHub repository for months, in what researchers call one of the worst government data leaks in recent history.
A contractor for the Cybersecurity and Infrastructure Security Agency (CISA) maintained a public GitHub repository named 'Private-CISA' on GitHub that was publicly accessible until this past weekend, exposing a trove of highly sensitive credentials and internal system details. The leak included administrative keys to three Amazon Web Services (AWS) GovCloud accounts, plaintext usernames and passwords for dozens of internal CISA systems, and credentials for the agency's internal code repository (Artifactory). Security researchers who analyzed the repository described it as a textbook example of poor security hygiene and one of the most egregious government data leaks in recent memory.
The exposure was first flagged on May 15 by Guillaume Valadon, a researcher with security firm GitGuardian, which constantly scans public code repositories for exposed secrets. Valadon told KrebsOnSecurity that the repository's commit logs showed the CISA administrator had deliberately disabled GitHub's default secret detection feature, which normally blocks users from publishing SSH keys or other secrets in public repositories. 'Passwords stored in plain text in a csv, backups in git backups, explicit commands to disable GitHub secrets detection feature — I honestly believed it was all fake before analyzing the content deeper,' Valadon wrote. 'This is indeed the worst leak that I've witnessed in my career.'
Among the exposed files was one titled 'importantAWStokens' containing administrative credentials to three AWS GovCloud servers, which are the isolated cloud environments used by U.S. government agencies for sensitive workloads. Another file, 'AWS-Workspace-Firefox-Passwords.csv,' listed plaintext usernames and passwords for dozens of internal CISA systems, including one called 'LZ-DSO' (Landing Zone DevSecOps), the agency's secure code development environment. Philippe Caturegli, founder of security consultancy Seralys, validated that the exposed AWS keys could authenticate to three GovCloud accounts at a high privilege level. He also noted that the archive included plaintext credentials to CISA's internal Artifactory, which stores all code packages used to build software. 'That would be a prime place to move laterally,' Caturegli said. 'Backdoor in some software packages, and every time they build something new they deploy your backdoor left and right.'
The repository was created on November 13, 2025, meaning the sensitive data may have been exposed for approximately six months before it was taken down. The contractor's GitHub account, which was created in September 2018, was disabled shortly after KrebsOnSecurity and Seralys notified CISA about the exposure. However, Caturegli noted that the exposed AWS keys remained valid for another 48 hours after the repository was removed. The contractor was employed by Nightwing, a government contractor based in Dulles, Virginia. Nightwing declined to comment, directing inquiries to CISA.
In response to questions, a CISA spokesperson said the agency is aware of the reported exposure and is continuing to investigate. 'Currently, there is no indication that any sensitive data was compromised as a result of this incident,' the spokesperson wrote. 'While we hold our team members to the highest standards of integrity and operational awareness, we are working to ensure additional safeguards are implemented to prevent future occurrences.' The incident highlights the persistent risk of credential exposure through public code repositories, a problem that has affected numerous organizations and government agencies. The use of easily guessable passwords — many of which consisted of each platform's name followed by the current year — further compounded the risk. Caturegli noted that such practices would constitute a serious security threat even if the credentials were never exposed externally, as threat actors often use key credentials found on internal networks to expand their access after establishing an initial foothold.
The Register's report adds new details from GitGuardian researcher Guillaume Valadon, who discovered the repository on May 14 and described it as containing 844 MB of secrets with filenames like "external-secret-repo-creds.yaml" and "AWS-Workspace-Firefox-Passwords.csv." Valadon noted the repository was never forked based on public GitHub events, suggesting it may not have been widely circulated, though he cautioned that only GitHub can definitively answer whether other parties accessed it. CISA took the repository down within a day of the report and stated there is no evidence of compromise so far.
GitGuardian researcher Guillaume Valadon revealed on May 19 that the repository, named 'Private-CISA' but publicly accessible since November 13, 2025, contained 844MB of sensitive data including plain-text passwords, authentication tokens, AWS credentials, and SAML certificates. Valadon noted that some commits included explicit instructions to disable GitHub's secret scanning, indicating developers deliberately bypassed security controls under deadline pressure. CISA took down the repository within 24 hours after the issue was escalated via journalist Brian Krebs, though it remains unclear whether threat actors accessed the data during the six-month exposure window.
Congressional Democrats, including Rep. Bennie Thompson and Sen. Maggie Hassan, have formally demanded briefings and classified information from CISA, citing risks of state actors gaining persistence in government systems. The letters point to personnel and budget cutbacks at the agency as potential contributors to the incident, while CISA stated there is no evidence of data compromise and is continuing to investigate. Security researchers noted that the repository was taken down swiftly after GitGuardian alerted CISA, but emphasized that such misconfigurations remain a recurring nightmare for organizations of all sizes.
The Register reports that the repository, named 'Private-CISA', contained 844 MB of production infrastructure material including JFrog Artifactory tokens, Azure and AWS credentials, Kubernetes manifests, and Entra ID SAML certificates, with filenames like 'external-secret-repo-creds.yaml' and 'AWS-Workspace-Firefox-Passwords.csv'. GitGuardian researcher Guillaume Valadon discovered the leak on May 14 and reported it; CISA removed the repo the next day. The agency stated there is no evidence the data was compromised, but the exposure could enable attacks ranging from ransomware to long-term pipeline persistence.