CISA Contractor Leaks Sensitive AWS GovCloud Credentials via Public GitHub Repository

by Anika Shah - Technology
0 comments

A contractor for the Cybersecurity and Infrastructure Security Agency (CISA) maintained a public GitHub repository that exposed sensitive credentials to internal agency systems and AWS GovCloud environments. The exposure, which included plaintext passwords and cloud keys, was discovered by researchers at the security firm GitGuardian and subsequently reported by KrebsOnSecurity. CISA has confirmed it is investigating the incident, stating there is currently no indication that sensitive data was compromised.

How the CISA Data Exposure Occurred

The security lapse centered on a public GitHub repository titled “Private-CISA,” which served as a repository for an employee of Nightwing, a Dulles, Virginia-based government contractor. According to GitGuardian researcher Guillaume Valadon, the repository contained a high volume of internal CISA and Department of Homeland Security (DHS) credentials, including cloud access keys, authentication tokens, and plaintext passwords for internal systems.

Valadon noted that the repository’s commit logs indicated the administrator had explicitly disabled GitHub’s automated secret detection features, which are designed to prevent the accidental publication of sensitive information. Security consultant Philippe Caturegli, founder of Seralys, observed that the repository appeared to be used as a synchronization tool between different computing environments, noting the presence of both professional and personal email addresses in the metadata.

What Systems Were Impacted

CISA Contractor AWS Leak + Industrial Robot Exploits [Threat Brief]

The exposed files included administrative credentials for three Amazon Web Services (AWS) GovCloud accounts. Additionally, a file labeled “AWS-Workspace-Firefox-Passwords.csv” contained plaintext usernames and passwords for dozens of internal CISA systems.

Among the exposed assets were credentials for “LZ-DSO,” identified as the agency’s “Landing Zone DevSecOps” environment used for secure software development. Caturegli, who verified the validity of the AWS keys, warned that the exposure of credentials to the agency’s internal “artifactory”—a repository used to store software build packages—posed a significant risk. He noted that such access could allow a malicious actor to move laterally through the network or inject backdoors into software packages before they are deployed.

Agency Response and Security Status

CISA stated that it is aware of the incident and is working to implement additional safeguards. “While we hold our team members to the highest standards of integrity and operational awareness, we are working to ensure additional safeguards are implemented to prevent future occurrences,” a CISA spokesperson said.

The agency confirmed that as of their most recent assessment, no sensitive data had been compromised. The repository was taken offline shortly after notification from researchers; however, Caturegli reported that the exposed AWS keys remained valid for approximately 48 hours following the initial takedown. Nightwing, the contractor responsible for the account, declined to provide comment and directed all inquiries to CISA.

Security Practices and Potential Risks

The incident highlights broader concerns regarding security hygiene, particularly the use of weak, predictable passwords. Caturegli observed that many of the exposed credentials followed a simple pattern of the platform name followed by the current year.

While the repository was created in November 2025, the underlying GitHub account dated back to September 2018. Security experts emphasize that even if these credentials had remained internal, such patterns represent a significant vulnerability. The incident remains under investigation as the agency addresses the operational implications of the exposed data.

Related Posts

Leave a Comment