CISA Contractor Exposes AWS GovCloud Keys in Public GitHub Repo for Months
Sensitive CISA credentials exposed on GitHub by contractor, raising cybersecurity concerns.
WASHINGTON — A contractor working for the Cybersecurity and Infrastructure Security Agency inadvertently exposed highly sensitive administrative credentials for multiple AWS GovCloud accounts and dozens of internal CISA systems on a public GitHub repository for at least six months, security researchers said Monday.
The breach, described by experts as one of the most serious government data leaks in recent years, involved plaintext passwords, cloud access tokens and detailed files showing how CISA builds, tests and deploys internal software. The repository remained publicly accessible until it was taken offline over the weekend after researchers notified the agency.
Guillaume Valadon, a researcher with GitGuardian, first flagged the exposure. His firm continuously scans public code repositories for leaked secrets. Valadon said he attempted to contact the repository owner before reaching out to CISA after receiving no response. A second researcher, Philippe Caturegli of Seralys, independently validated several of the exposed credentials.
The now-deleted repository, named "Private-CISA," was maintained by an employee of Nightwing, a government contractor based in Dulles, Virginia. It contained files such as "importantAWStokens" that granted high-level administrative access to at least three AWS GovCloud environments used by CISA. Another file, "AWS-Workspace-Firefox-Passwords.csv," listed plaintext usernames and passwords for numerous internal agency systems, including what appeared to be a secure development environment called "LZ-DSO."
Security experts who reviewed the exposed material expressed alarm at the scale and carelessness of the leak. Caturegli noted that the repository owner had deliberately disabled GitHub's built-in secret scanning feature, stored passwords in plain text, and appeared to use the public repo as a personal synchronization tool between work and home computers.
"This is the worst leak I've witnessed in my career," Valadon told KrebsOnSecurity. "It is obviously an individual's mistake, but it might reveal internal practices."
The repository was created on Nov. 13, 2025, and remained active with regular commits until its removal. Researchers said some exposed AWS keys remained valid for up to 48 hours after the repo was taken down.
CISA confirmed it is investigating the incident but said there is currently "no indication that any sensitive data was compromised." A spokesperson emphasized that the agency holds team members to the highest standards and is implementing additional safeguards to prevent future occurrences.
Nightwing declined to comment, directing all inquiries to CISA.
The exposure raises serious questions about government cybersecurity practices at a time when CISA — the nation's lead agency for protecting critical infrastructure — is operating with reduced staffing and budget constraints. The agency has lost nearly a third of its workforce since the start of the second Trump administration due to early retirements, buyouts and resignations.
Security analysts warned that the leaked material could have provided attackers with multiple pathways into sensitive government systems. Access to CISA's Artifactory repository, which stores code packages used for software builds, would offer a particularly dangerous foothold for supply-chain attacks.
"Backdoor in some software packages, and every time they build something new they deploy your backdoor left and right," Caturegli said.
The incident highlights ongoing challenges with credential management and the risks of using public repositories for sensitive work. Government contractors and agencies are required to follow strict security protocols, including the use of private repositories, proper secret management tools and regular audits.
This is not the first time sensitive government information has been exposed through GitHub. Previous incidents have involved other federal agencies and contractors accidentally publishing API keys, SSH credentials and configuration files. However, the privileged access to AWS GovCloud environments — which host highly sensitive federal workloads — makes this case particularly concerning.
AWS GovCloud is a specialized cloud region designed to meet strict U.S. government compliance requirements for security and data sovereignty. Compromise of administrative credentials could theoretically allow lateral movement into other federal systems or data exfiltration.
CISA's own mission includes advising federal agencies and critical infrastructure operators on cybersecurity best practices. The irony of a CISA contractor exposing credentials has drawn sharp criticism from cybersecurity professionals.
The timing of the leak is especially sensitive. CISA plays a central role in defending against nation-state threats, ransomware and election security risks. Any perception of internal carelessness could undermine confidence in the agency's ability to protect the nation's digital infrastructure.
Congressional oversight committees are likely to demand briefings on the incident. Lawmakers have previously expressed frustration with federal agencies over repeated cybersecurity lapses, including high-profile SolarWinds and MOVEit supply chain attacks.
For now, CISA says it has revoked the exposed credentials and is conducting a full audit of related systems. The agency has not disclosed how long the repository was publicly accessible or whether any unauthorized access occurred before discovery.
The contractor's GitHub account, created in 2018, used both official CISA-associated emails and personal addresses, suggesting the repository served as an informal bridge between work and personal computing environments. Such practices are explicitly discouraged under federal security guidelines.
Security experts recommend that organizations — especially those handling government data — implement automated secret scanning, use hardware security keys, enforce strict repository access controls and provide regular training on secure coding and credential management.
GitGuardian and other security firms offer free tools for developers and organizations to scan repositories for exposed secrets. Valadon urged developers and administrators to enable secret scanning features and avoid committing sensitive files to version control systems.
As the investigation continues, the incident serves as a stark reminder of the human element in cybersecurity. Even well-resourced agencies with critical national security missions remain vulnerable to simple oversights when proper processes are bypassed.
CISA has urged federal partners and critical infrastructure operators to review their own credential hygiene and GitHub security practices in light of this exposure. The agency said it will provide updated guidance on secure development practices in the coming weeks.
The full scope of the breach and its potential impact may take weeks or months to determine. In the meantime, the cybersecurity community continues to scrutinize the details that were briefly exposed, hoping that no malicious actors gained access during the months the repository sat publicly available on GitHub.
© Copyright 2026 IBTimes AU. All rights reserved.
- Recommended For You
