Back

CISA Contractor Exposes Sensitive AWS Credentials on Public GitHub

Severity: High (Score: 69.0)

Sources: www.alternet.org, krebsonsecurity.com, Longbridge, Rss.Slashdot, Cybernews

Published: 2026-05-19 · Updated: 2026-05-20

Keywords: cisa, credentials, github, security, admin, govcloud, public

Severity indicators: credentials

Summary

A contractor for the U.S. Cybersecurity and Infrastructure Security Agency (CISA) left a public GitHub repository named 'Private-CISA' exposed for six months, containing sensitive credentials including AWS GovCloud access keys and internal CISA system passwords. Discovered by GitGuardian researcher Guillaume Valadon on May 14, 2026, the repository included files such as 'importantAWStokens' and 'AWS-Workspace-Firefox-Passwords.csv', which detailed access to critical infrastructure. The repository was created on November 13, 2025, and remained accessible until it was taken down on May 15, 2026, after Valadon alerted CISA. Despite the quick response, some credentials remained valid for an additional 48 hours, raising concerns about potential exploitation. CISA has stated there is currently no evidence that sensitive data was compromised as a result of the incident. The leak highlights significant lapses in security practices, especially given CISA's role in advising on cybersecurity. Key Points: • A public GitHub repository exposed sensitive AWS GovCloud credentials for six months. • The repository contained plaintext passwords and access tokens for multiple internal CISA systems. • CISA has confirmed no evidence of data compromise, but some credentials remained valid for 48 hours post-disclosure.

Detailed Analysis

**Impact** A contractor for CISA exposed 844 MB of sensitive data on a public GitHub repository for approximately six months, affecting U.S. federal cybersecurity operations. The leak included plaintext passwords, AWS GovCloud administrative credentials for three accounts, internal CISA system tokens, CI/CD logs, Kubernetes manifests, and internal documentation. This exposure potentially compromised the agency’s secure code development environment and software supply chain, with implications for government cloud infrastructure and critical national cybersecurity defenses. The incident primarily impacts U.S. government cybersecurity posture but also poses risks to sectors relying on similar cloud infrastructures, such as finance and cryptocurrency. **Technical Details** The exposure resulted from a contractor using a public GitHub repository named “Private-CISA” to sync sensitive files, including plaintext credentials and tokens, disabling GitHub’s default secret scanning protections. The repository contained AWS GovCloud keys, GitHub personal access tokens, Entra ID SAML certificates, and internal infrastructure code (Terraform, Kubernetes, ArgoCD). No malware or CVEs were exploited; the incident stems from poor secrets management and operational security failures. The exposed AWS keys remained active for 48 hours after the repository takedown, increasing risk of unauthorized access. No confirmed compromise or exploitation has been reported. **Recommended Response** Revoke and rotate all exposed AWS GovCloud credentials and associated tokens immediately. Enforce strict use of secret management tools and enable GitHub’s secret scanning and repository access controls. Monitor for unauthorized access attempts to AWS and internal CISA systems, focusing on lateral movement and persistence tactics. Conduct audits of contractor repositories and implement mandatory security training on secrets handling and cloud credential management.

Source articles (29)

  • CISA Admin Exposes AWS GovCloud Credentials on Public GitHub Repository — Cybersecuritynews · 2026-05-19
    A major security lapse has exposed highly sensitive U.S. government cloud credentials after a contractor working with the Cybersecurity and Infrastructure Security Agency (CISA) accidentally published…
  • ‘The Worst Leak That I’ve Witnessed’: U.S. Cybersecurity Agency Leaves Its Digital Keys Out in Public on GitHub — gizmodo.com · 2026-05-19
  • CISA contractor apparently leaked 'highly sensitive' government AWS keys on Github — www.techradar.com · 2026-05-19
  • Brian Krebs — krebsonsecurity.com · 2026-05-19
  • Congress Cisa Briefing Credentials Leak — www.axios.com · 2026-05-19
  • Irony alert: Trump's top cybersecurity agency exposed its own passwords online — www.alternet.org · 2026-05-19
  • CISA Admin Leaked AWS GovCloud Keys On Github — Rss.Slashdot · 2026-05-19
    An anonymous reader quotes a report from KrebsOnSecurity: Until this past weekend, a contractor for the Cybersecurity & Infrastructure Security Agency (CISA) maintained a public GitHub repository that…
  • Massive Cisa data leak exposes internal systems and AWS keys — News.Az · 2026-05-19
    The Cybersecurity and Infrastructure Security Agency (CISA) is facing one of the most embarrassing data security blunders in recent government history. A contractor for the federal cyber defense agenc…
  • CISA Admin Reportedly Exposes AWS GovCloud Credentials in Public GitHub Repository — Gbhackers · 2026-05-19
    A significant security lapse involving the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has come to light after a contractor reportedly exposed highly sensitive AWS GovCloud credential…
  • CISA exposed plaintext passwords and cloud keys on GitHub for six months — Cryptobriefing · 2026-05-19
    The US federal cybersecurity agency, tasked with protecting critical infrastructure, left admin credentials and AWS GovCloud keys in a public repository that sat undetected for half a year. A public r…
  • CISA contractor's public GitHub repo exposed sensitive government credentials — Scworld · 2026-05-20
    A public GitHub repository containing highly sensitive internal credentials and systems used by the US Cybersecurity and Infrastructure Security Agency (CISA) has been revealed, based on information p…
  • U.S. Cybersecurity Agency Just Left the Keys to the Kingdom on Public GitHub — Gadgetreview · 2026-05-19
    GitGuardian researcher Guillaume Valadon has seen plenty of leaked credentials in his career scanning public repositories. But when he discovered a CISA contractor’s “ Private-CISA ” GitHub repo stuff…
  • CISA Contractor Exposed AWS GovCloud Keys in Public GitHub Repository, Report Says — Technadu · 2026-05-19
    A contractor working for the Cybersecurity and Infrastructure Security Agency (CISA) maintained a public GitHub repository named "Private-CISA" that exposed credentials to several highly privileged AW…
  • “Worst Leak I've Ever Seen”: U.S. Cyber Agency Accidentally Exposes Secret Access Keys on GitHub — Usaherald · 2026-05-19
    The federal agency tasked with defending America from cyber threats has been caught leaving its own digital secrets exposed online in what one cybersecurity expert called “the worst leak that I’ve wit…
  • Significant Data Exposure in CISA Contractor Repository Raises Security Concerns — Valuethemarkets · 2026-05-19
    A public repository linked to a CISA contractor exposed sensitive cloud data, raising security concerns for cryptocurrency and finance sectors. Sensitive data has recently come to light following the…
  • CISA Contractor Apparently Leaked 'Highly Sensitive' Government AWS Keys on Github — Ground.News · 2026-05-19
    SSH keys, plaintext passwords, other sensitive data had been up since November 2025. The leak was so bad, researchers initially thought it was a joke. The federal cybersecurity agency left plaintext p…
  • CISA credential leak raises alarms, and Capitol Hill demands answers — Cyberscoop · 2026-05-19
    Congressional Democrats want answers from the Cybersecurity and Infrastructure Security Agency the reported public exposure of sensitive agency credential data on GitHub in an incident that the securi…
  • CISA Admin Leaked AWS GovCloud Keys on Github — Feeds.Feedburner · 2026-05-18
    Until this past weekend, a contractor for the Cybersecurity & Infrastructure Security Agency (CISA) maintained a public GitHub repository that exposed credentials to several highly privileged AWS GovC…
  • CISA left 844 MB of plaintext passwords and AWS tokens on public GitHub for six months — Cybernews · 2026-05-20
    Security researchers at GitGuardian have discovered login credentials for the US Cybersecurity and Infrastructure Security Agency (CISA). On a public GitHub repository called “Private-CISA,” they foun…
  • US Cybersecurity Agency CISA Left Sensitive Data Exposed — Zamin.Uz · 2026-05-19
    The leading US cybersecurity agency CISA left access keys to its cloud systems and internal networks exposed on the open internet due to a serious security oversight. This dangerous situation was disc…
  • America's top cyber-defense agency left a GitHub repo open with with passwords, keys, tokens — Theregister · 2026-05-19
    I wonder what's in 'external-secret-repo-creds.yaml' and 'AWS-Workspace-Firefox-Passwords.csv'? The US Cybersecurity and Infrastructure Security Agency (CISA) left open a GitHub repository named “Priv…
  • Contractor’s public GitHub account exposed GovCloud and CISA credentials — Csoonline · 2026-05-19
    Until a few days ago, a publicly-accessible GitHub repository exposed credentials for both US government AWS accounts and internal Cybersecurity and Infrastructure Security Agency (CISA) systems. That…
  • CISA Exposes Secrets, Credentials in 'Private' Repo — Darkreading · 2026-05-19
    The agency's GitHub repository, publicly available since November 2025, was ironically named "Private-CISA." It seems every organization is exposing secrets on the Internet these days — even the US go…
  • CISA GitHub Data Leak: Sensitive Credentials, Passwords Posted to Public Repository — Techloy · 2026-05-19
    The agency responsible for protecting U.S. government systems from cyberattacks has been found to have left its own keys publicly accessible, raising questions its own security practices. According to…
  • US cyber agency CISA exposed reams of passwords and cloud keys to the open web — Longbridge · 2026-05-19
    The U.S. cybersecurity agency CISA faced a significant security lapse when a researcher discovered exposed credentials on GitHub, allowing access to sensitive systems. The credentials, linked to a CIS…

Timeline

  • 2025-03-15 — CVE-2025-30066 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2025-11-13 — Private-CISA repository created: A GitHub repository named 'Private-CISA' was created by a CISA contractor, containing sensitive information.
  • 2026-05-14 — Repository discovered by GitGuardian: Guillaume Valadon of GitGuardian found the exposed repository and alerted CISA.
  • 2026-05-15 — CISA takes down repository: CISA took down the exposed repository within 26 hours of being notified by Valadon.
  • 2026-05-15 — Exposed credentials remained valid: Some AWS keys remained valid for 48 hours after the repository was taken down, raising security concerns.
  • 2026-05-19 — CISA confirms no data compromise: CISA stated there is currently no indication that any sensitive data was compromised as a result of the incident.

CVEs

  • CVE-2025-30066

Related entities

  • Data Breach (Attack Type)
  • Supply Chain Attack (Attack Type)
  • SolarWinds Attack (Campaign)
  • CISA (Company)
  • ClickUp (Company)
  • Cybersecurity and Infrastructure Security Agency (Company)
  • Cybersecurity & Infrastructure Security Agency (Company)
  • Department of Homeland Security (Company)
  • U.S. Cybersecurity And Infrastructure Security Agency (Company)
  • AWS (Company)
  • Azure (Company)
  • CWE-200 - Exposure of Sensitive Information (Cwe)
  • CWE-78 - OS Command Injection (Cwe)
  • CWE-798 - Use of Hard-coded Credentials (Cwe)
  • news.az (Domain)
  • Financial (Industry)
  • Government (Industry)
  • T1041 - Exfiltration Over C2 Channel (Mitre Attack)
  • T1552.001 - Credentials In Files (Mitre Attack)
  • T1567 - Exfiltration Over Web Service (Mitre Attack)
  • Amazon Web Services GovCloud (Platform)
  • ArgoCD (Platform)
  • AWS GovCloud (Platform)
  • ChatGPT (Platform)
  • Entra ID (Platform)
  • GitHub (Platform)
  • JFrog Artifactory (Platform)
  • Kubernetes (Platform)
  • Terraform (Platform)
  • GitHub Actions (Tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed