Loading...
Loading...
Security researchers found a public GitHub repository managed by a contractor that exposed plaintext passwords, API keys and highly privileged AWS GovCloud credentials tied to the U.S. Cybersecurity and Infrastructure Security Agency (CISA). Files—including deployment scripts, tokens and build artifacts—appeared to grant admin access to multiple GovCloud accounts and internal services, and commit history suggested GitHub secret-detection was disabled and the repo served as a personal workspace. CISA says there's no current evidence of compromise and has removed the repo while investigating. The incident highlights persistent risks in secrets management, contractor workflows and software supply-chain hygiene at critical government agencies.
Exposed high-privilege AWS GovCloud credentials for a national cybersecurity agency create immediate risk of lateral movement, supply-chain compromise and data theft. Tech teams must reassess secrets management, CI/CD hygiene and contractor access controls to prevent similar breaches.
Dossier last updated: 2026-05-19 03:22:56
A public GitHub repository named "Private-CISA" exposed plaintext passwords, SSH private keys, tokens and other sensitive CISA assets since at least November 2025, according to reporting by security researcher Brian Krebs. GitGuardian researcher Guillaume Valadon discovered the repo via public scans and says repo commit logs indicate GitHub's default secret-protection features had been disabled. Independent testing by Seralys founder Philippe Caturegli demonstrated the credentials could access multiple AWS GovCloud accounts with high privileges. The repo appears linked to Nightwing, a Virginia-based CISA contractor; Nightwing has deferred comment to CISA. The leak follows earlier CISA mishandling incidents, underlining persistent operational security problems at the agency.
CISA left sensitive credentials—including plaintext passwords, API keys and admin tokens for AWS GovCloud and internal systems—publicly exposed in a GitHub repository named “Private-CISA” since at least November, Krebs on Security reports. The leak, attributed to a contractor employee reportedly moving files between work and home devices, exposed files like “importantAWStokens” and “AWS-Workspace-Firefox-Passwords.csv,” which included access to a Landing Zone DevSecOps environment. CISA said there’s no indication data was compromised and pledged additional safeguards; the repository was taken down over the weekend. The incident underscores operational and supply-chain risks in government cybersecurity practices and the dangers of secrets in code hosting platforms.
CISA left plaintext passwords, API keys and AWS GovCloud administrative credentials in a public GitHub repository named “Private-CISA,” exposed for months before being removed over the weekend, Krebs on Security reports. The leak allegedly stemmed from a contractor employee (Nightwing) using GitHub to transfer work data to a home device; exposed files included CSVs listing internal usernames/passwords and tokens for CISA systems and a Landing Zone DevSecOps environment. CISA says there’s no current indication of compromise and pledged additional safeguards. The incident underscores supply-chain, credential-management and operational-security failures at a major US cyber agency and highlights risks uncovered by secret-scanning firms like GitGuardian.
A contractor-maintained public GitHub repository named "Private-CISA" exposed highly privileged AWS GovCloud keys, plaintext passwords, tokens and build artifacts tied to the Cybersecurity and Infrastructure Security Agency (CISA). Researchers from GitGuardian and security consultants including Philippe Caturegli at Seralys found files showing how CISA builds, tests and deploys software and discovered admin credentials that authenticated to three AWS GovCloud accounts and internal services like the agency artifactory and a Landing Zone DevSecOps environment. The leak—attributed to poor hygiene and disabled GitHub secret-detection—could let attackers backdoor packages, move laterally, and persist in critical government infrastructure, prompting urgent remediation and review of insider practices. This represents a severe government data exposure with operational and supply-chain security implications.
A public GitHub repository maintained by a CISA contractor exposed highly privileged AWS GovCloud credentials, plaintext passwords, tokens and internal build artifacts, representing a severe government data leak. Security firm GitGuardian researcher Guillaume Valadon flagged the repository,
A publicly accessible GitHub repository owned by a Cybersecurity and Infrastructure Security Agency (CISA) contractor exposed highly privileged AWS GovCloud keys, plaintext passwords, tokens and internal build artifacts, according to security researchers. GitGuardian researcher Guillaume Valadon flagged the “Private-CISA” repo on May 15 after automated scans found secrets; Seralys founder Philippe Caturegli validated that several AWS GovCloud accounts and an internal artifactory were accessible with the leaked credentials. The files included deployment scripts, backups, and instructions that appeared to disable GitHub’s secrets detection, suggesting poor hygiene or risky internal practices. The leak could allow attackers to persist, move laterally, or backdoor packages used across CISA systems, making it a major government security incident.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) left plaintext passwords, keys and AWS GovCloud tokens in a public GitHub repository named “Private-CISA,” exposed since November and fixed over the weekend, Krebs on Security reports. The leak reportedly included admin credentials for three GovCloud servers and CSVs with usernames and passwords for internal systems, potentially affecting CISA’s Landing Zone DevSecOps environment. A contractor employee from Nightwing appears to have used GitHub to move work files to a home device. CISA says there’s no indication of compromise and promises additional safeguards. The incident underscores persistent insider workflow risks and the need for secrets scanning and secure developer practices at critical agencies.
A public GitHub repository maintained by a contractor for the Cybersecurity and Infrastructure Security Agency (CISA) exposed highly privileged AWS GovCloud keys, plaintext passwords, tokens and internal build/deploy artifacts until it was taken down. Security researchers from GitGuardian and consultancy Seralys discovered the “Private-CISA” repo and found files such as “importantAWStokens” and “AWS-Workspace-Firefox-Passwords.csv” that granted admin access to three GovCloud accounts and to CISA’s internal artifact repository. Experts warned the leak shows severe security hygiene lapses—including disabled GitHub secret-detection—and could allow attackers to persist, move laterally, or backdoor software supply chains, making it a major government data exposure with serious operational and national-security implications.
&#32; submitted by &#32; <a href="https://www.reddit.com/user/rkhunter_"> /u/rkhunter_ </a> <br/> <span><a href="https://krebsonsecurity.com/2026/05/cisa-admin-leaked-aws-govcloud-keys-on-github/">[link]</a></span> &#32; <span><a href="https://www.reddit.com/r/technology/comments/1th9qu6/cisa_admin_leaked_aws_govcloud_keys_on_github/">[comments]</a></span>
Brian Krebs / Krebs on Security : A CISA contractor maintained a now-offline GitHub repo that exposed credentials to AWS GovCloud accounts and CISA systems; CISA is investigating the situation — Until this past weekend, a contractor for the Cybersecurity & Infrastructure Security Agency (CISA) maintained a public GitHub repository …
CISA Admin Leaked AWS GovCloud Keys on Github
A CISA contractor’s public GitHub repository leaked administrative AWS GovCloud keys, plaintext passwords, tokens and internal deployment artifacts, exposing high-privilege access to multiple CISA/DHS systems. Security researchers from GitGuardian and consultancy Seralys discovered the “Private-CISA” repo and validated that some exposed credentials authenticated to three GovCloud accounts and CISA’s internal artifact repository, risking lateral movement and supply-chain backdoors. Commit history showed the repo owner disabled GitHub’s secret-detection safeguards and used the repository as a personal scratchpad, indicating systemic poor hygiene rather than a single accidental file. The leak highlights critical risks in cloud credential management, developer workflows and government cybersecurity practices. It may prompt audits, policy changes and tightened secrets management across agencies.